Cybersecurity Archives - Page 38 of 88

Tuesday Morning: Speed of Love

May 17, 2016/12 Comments/in Culture, Cybersecurity /by Rayne

This video fascinates me. I’ve watched it a number of times since Nerdist shared it last month; it’s the 24-minute long set by Freddie Mercury and Queen at the 1985 Live Aid concert held in Wembley Stadium.

Nerdist noted the audience’s response reflects the speed of sound — the visible ripple of fans’ hands speeds across the crowd in response to the sound as it leaves the stage area and travels across the venue. The gif they shared was taken about 16:37 into this set, just as the band begins We Will Rock You.

I think there was more at work here because earlier snaps of the audience reaction during Radio Gaga (roughly 4:25 onward) don’t show the same marked wave across the crowd. But several points in the set Mercury interacts with the audience, coaxing them to sing and shout along with him.

And then at 16:35 when he begins We Will Rock You, the crowd is completely in sync with him. They adore him and are utterly engaged. The wave is not just sound but their feeling for Mercury and his performance.

Can you imagine a politician who could induce such a response?

Cybersecurity
Adobe Flash must die, and Google’s slowly exterminating it in Chrome (Ars Technica) — By year’s end, Flash will be disabled by default in Google’s Chrome browser. It will only play when manually enabled. All part of the slow migration to HTML5 away from risky Flash.

Antivirus app halts heart surgery (Ars Technica-UK) — Holy crap. Why does medical equipment need antivirus software to begin with, let alone how does an A/V app launch and run during surgery?

Artificial Intelligence
Dude, that female TA you hit on? An AI bot (Sydney Melbourne Herald) — Wow. Future’s already here and you can’t tell you’ve been dissed by both your prof and the chick-bot-TA.

A series of tubes
Remote healthcare not ready for prime time (ScienceDaily) — Study using fake patients to test direct-to-consumer teledermatology remote health care systems found security problems with IDs, poor-to-bad assignment of clinicians, many errors made in major diagnoses, insufficient warning to pregnant patients when meds prescribed, just for starters. Think of this as Healthcare Internet of Things Fail.

Super. Fast. Wireless. Internet. Coming. To. YOU! Really? (MIT Technology Review) — Ugh, so breathless with excitement they are about this startup called Starry. I was, too, initially, but we’ve been told this crap for more than a decade. Since this requires the cooperation of Verizon, AT&T, Facebook, and Google to standardize on this platform AND reception relies on line-of-sight, I’m not holding my breath.

The Business
New business for Amazon to tackle: its own private label groceries (Techcrunch) — Amazon doesn’t want to leave a penny on the table. If customers are too price sensitive to click their Dash button for a big name brand consumer good, they’ll offer their own instead. Prime accounts only, though; first goods will be heavy on baby needs, which makes sense given parents are often a captive audience.

Norway’s sovereign (oil) wealth fund to sue Volkswagen (AP) — Fossil fuel-created fund owns 1.64% stake in Volkswagen. It’s suing to protect its assets exposed by VW’s emissions controls cheat. Imagine me laughing at oil suing a car company for the manner in which it promulgated oil consumption.

Norway’s Statoil to launch first floating wind farm (Bloomberg) — This company is well ahead of Shell when it comes to diversifying energy production.

Flint Water Crisis
Michigan’s top law enforcement agent unaware of Michigan State Police “quiet investigation” (WZZM) — Still scratching my head over this one. Why did the governor ask MSP to conduct an administrative — not criminal — investigation, omitting the state attorney general? And who’s conducting a genuine criminal investigation, including the governor’s role?

Gender Equity
Toy maker(s) insisted Iron Man 3 movie must have male, not female villain (The Mary Sue) — In other words, Marvel’s big sweeping superhero movies are really just very long trailers to sell boys’ toys. Girls and women need not apply. I have no idea how they can make a decision based on any realistic data given the dearth of female villains on screen and in toys. Is this just some lame argument for inequity in front and behind the camera?

Running behind, probably read too much today and swamped my processing circuits. Hope mid-week becomes a little more focused — catch you tomorrow!

Thursday Not-Morning: Stupid

May 12, 2016/11 Comments/in Culture, Cybersecurity /by Rayne

Jeepers. I need hip waders. There is just so damned much stupid over the last 24 hours. It’s a veritable flood.

The Future is here, and it’s stupid

Law firm “hires” first artificially intelligent lawyer (Futurism) — Oh how nice. Treat human misery like a fungible commodity by using IBM’s AI ‘lawyer’ Ross to process bankruptcies. Want to bet it’s cheaper to hire paralegals to do the work Ross does? Want to bet Baker & Hostetler’s Ross will be replaced by a competing internet-based firm processing bankruptcies even more inexpensively? Hey Congress: doesn’t it say something to you about the number and kind of bankruptcies when a ‘robot’ can process them?
Facial recognition expected to be $6 billion by 2020 (Curatti) — No invasion of privacy issues there, nor any security risks whatsoever. No chance at all two or more people have the same facial characteristics in terms of dimension.
Chinese tech company prepares for future where our consciousness lives forever in a computer (Bloomberg) — This is really creepy, and yet very much possible in the near-term future. If AI can nearly reproduce you from your social media, why can’t it replicate your consciousness?

The Past remains, and it’s stupid, too

Staffing company Portico sent home a receptionist for not wearing high heels (BBC) — A petition emerged in response, asking Parliament to outlaw such policies; 100,000 signatures mustered overnight. They’ve reversed their position today after a furor arose about their policy requiring women to wear 2-4 inch high heels on the job at a PriceWaterhouse Cooper facility. PwC says it’s not their policy. Come on now — it’s 2016, not 1956. It’s just plain stupid to ask workers of a specific gender to wear attire for looks — attire which causes discomfort and is not recommended by doctors.
Belgian beer company changes iconic American brand name to pander to voters (AdAge) — Take one of the oldest and most recognized U.S. brands on which hundreds of millions of dollars have been spent to entrench an immigrant’s name into the American psyche. Then remove it and replace it with the country’s name for six months. My gods, the stupid on this one. Fortunately a West Michigan brewer is taking advantage of this opportunity with ‘Murica! I could use one right about now.
Some SAP accounting software users attacked because they screwed up in 2010 (The Register) — Talk about time travel. I’m sure there’s some folks who’d like to go back to 2010 and execute that security patch correctly this time before hackers smite their business to smithereens.

The Present’s no gift

Don’t feed the sea turtles (Scientific American) — Surprise! When tourists feed junk food to sea turtles, the turtles’ health mirrors that of humans fed the same crap.
Study: Ransomware cybercriminals provide better, faster service than internet service providers (Nature) — Not even a rational comparison next to Comcast. Seems like there’s a market opportunity here; if crooks held a machine hostage AND offered a PC tune-up, would PC owners happily fork over cash? Hmm.
Marijuana use during pregnancy increases risk for pre-term birth (ScienceDaily) — What a surprise that a psychoactive drug combined with toxic by-products from smoking a plant product might have negative effects on pregnancy.

Ugh. Hope tomorrow is kinder to us. See you in the morning!

Wednesday Morning: Wandering

May 11, 2016/4 Comments/in automobiles, Climate Change, Culture, Cybersecurity /by Rayne

This music video is the result of an insomniac walkabout. I went looking for something mellow I hadn’t heard before and tripped on this lovely little indie folk artistry. Not certain why I haven’t heard Radical Face before given how popular this piece is. I like it enough to look for more by the same artist.

Let’s go wandering…

Volkswagen: 3.0L fix in the offing, but too late for EU and the world?

New catalytic converter may be part of so-called fix for VW and Audi 3.0L vehicles (Bloomberg) — The financial hit affected dividend as reserve for fix/recall/litigation was raised from 6.7B to 16.2B euros. VW group will not have a full explanation about Dieselgate’s origins and costs to shareholders until the end of 2016.
But Netherland’s NO2 level exceeds the 40 microgram threshold in 11 locations, violating EU air pollution standards (DutchNews) — Locations are those with high automobile traffic.
UK government shoveled 105,000 pounds down legal fee rat hole fighting air pollution charges (Guardian-UK) — Look, we all know the air’s dirty. Stop fighting the charges and fix the mess.
UK’s MPs already said air pollution was a ‘public health emergency’ (Guardian-UK) — It’s killing 40-50,000 UK residents a year. One of the approaches discussed but not yet in motion is a scrapping plan for dirty diesel vehicles.
Unfortunately global CO2 level at 400 ppm tipping point, no thanks to VW’s diesel vehicles (Sydney Melbourne Herald) — Granted, VW’s passenger vehicles aren’t the only source, but cheating for nearly a decade across millions of cars played a substantive role.

Mixed government messages about hacking, encryption, and cybersecurity enforcement
Compare: FBI hires a “grey hat” to crack the San Bernardino shooter’s iPhone account, versus FCC and FTC desire for escalated security patching on wireless systems. So which is it? Hacking is good when it helps government, or no? Encryption is not good for government except when it is? How do these stories make any sense?

State of Florida prosecuting security researcher after he revealed FL state’s election website was vulnerable (Tampa Bay Times) — Unencrypted site wide-open to SQL “injection attack” allowed research to hack into the site. Florida arrests him instead of saying thanks and fixing their mess.
UK court rules hacker does not have to give up password (Guardian-UK) — Computer scientist and hacker activist Lauri Love fights extradition to U.S. after allegedly stealing ‘massive quantities’ of data from Fed Reserve and NASA computers; court ruled he does not have to give up password for his encrypted computers taken into custody last autumn.
SWIFT denies technicians left Bangladeshi bank vulnerable to hacking (Reuters) — Tit-for-tat back and forth between Bangladesh Bank and SWIFT as to which entity at fault for exposures to hacking. Funny how U.S. government is saying very little about this when the vulnerability could have been used by terrorists for financing.

Well, it’s not quite noon Pacific time, still morning somewhere. Schedule was off due to insomnia last night; hoping for a better night’s sleep tonight, and a better morning tomorrow. Catch you then!

James Clapper’s Latest Effort To Fearmonger about Snowden’s Damage

May 11, 2016/8 Comments/in Cybersecurity, EO 12333, FISA /by emptywheel

In addition to getting him to admit the US can’t fix the Middle East but we have to stay because our “leadership” is needed there, in this column David Ignatius asked James Clapper, again, about how much damage Edward Snowden has caused.

Clapper said the United States still can’t be certain how much harm was done to intelligence collection by the revelations of disaffected National Security Agency contractor Edward Snowden. “We’ve been very conservative in the damage assessment. Overall, there’s a lot,” Clapper said, noting that the Snowden disclosures made terrorist groups “very security-conscious” and speeded the move to unbreakable encryption of data. And he said the Snowden revelations may not have ended: “The assumption is that there are a lot more documents out there in escrow [to be revealed] at a time of his choosing.”

Let’s unpack this.

Clapper provides two pieces of evidence for damage:

Snowden disclosures have made terrorist groups “very security-conscious”
Snowden disclosures have “speeded the move” [by whom, it’s not entirely clear] to unbreakable encryption

That’s a bit funny, because what we saw from the terrorist cell that ravaged Paris and Belgium was — as The Grugq describes it — “drug dealer tradecraft writ large.” Stuff that they could have learned from watching the Wire a decade ago, with a good deal of sloppiness added in. With almost no hints of the use of encryption.

If the most dangerous terrorists today are using operational security that they could have learned years before Snowden, then his damage is not all that great.

Unless Clapper means, when he discusses the use of unbreakable encryption, us? Terrorists were already using encryption, but journalists and lawyers and US-based activists might not have been (activists in more dangerous places might have been using encryption that the State Department made available).

Neither of those developments should be that horrible. Which may be why Clapper says, “We’ve been very conservative in the damage assessment” even while insisting there’s a lot. Because this is not all that impressive, unless as Chief Spook you think you should have access to the communications of journalists and lawyers and activists.

I’m most interested, however, in this escrow idea.

“The assumption is that there are a lot more documents out there in escrow [to be revealed] at a time of his choosing.”

Snowden and Glenn Greenwald and Laura Poitras and Bart Gellman have said about a zillion times that Snowden handed everything off before he went to Russia. And everyone who knows anything about Russia would assume if he brought documents there, Putin has had them for almost 3 years.

Sure, there are surely documents that reporters have that, reviewed in the future by other people, may result in new disclosures. But the suggestion that Snowden himself is asking the journalists to hold back some of the documents “in escrow” is rather curious. Why would Snowden withhold documents until such time that the technology behind disclosures would be out of date.

I mean, it’s useful as a basis to claim that Snowden will continue to damage the IC when there’s actually not that much evidence he already has. But it doesn’t make much sense to me.

Ah well. In the article Clapper says he’ll be around for 265 days, which means around February 9 of next year, someone else will take up fearmongering about Edward Snowden.

Tuesday Morning: Garbage in, Garbage out [UPDATE]

May 10, 2016/27 Comments/in Culture, Cybersecurity /by Rayne

Why’d I pick this music video, besides the fact I like the tune? Oh, no reason at all other than it’s trash day again.

Speaking of trash…

Facebook furor just frothy foam?
I didn’t add yesterday’s Gizmodo piece on Facebook’s news curation yesterday or the earlier May 3 piece because I thought the work was sketchy. Why?

The entire curation system appears to be contractors — Where is a Facebook employee in this process?

“…News curators aren’t Facebook employees—they’re contractors. One former team member said they received benefits including limited medical insurance, paid time off after 6 months and transit reimbursement, but were otherwise excluded from the culture and perks of working at Facebook. […] When the curators, hired by companies like BCForward and Pro Unlimited (which are then subcontracted through Accenture to provide workers for Facebook), arrive at work each day, they read through a list of trending topics ranked by Facebook’s algorithm from most popular (or most engaged) to least. The curators then determine the news story the terms are related to.

The news curation team writes headlines for each of the topics, along with a three-sentence summary of the news story it’s pegged to, and choose an image or Facebook video to attach to the topic. The news curator also chooses the “most substantive post” to summarize the topic, usually from a news website. […] News curators also have the power to “deactivate” (or blacklist) a trending topic—a power that those we spoke to exercised on a daily basis. …” (emphasis mine)

I see a Facebook-generated algorithm, but no direct employees in the process — only curator-contractors.
Sources may have a beef with Facebook — This doesn’t sound like a happy work environment, does it?

“…Over time, the work became increasingly demanding, and Facebook’s trending news team started to look more and more like the worst stereotypes of a digital media content farm.

[…]

Burnout was rampant. ‘Most of the original team isn’t there anymore,’ said another former news curator. ‘It was a stop-gap for them. Most of the people were straight out of [journalism school]. At least one of them was fired. Most of them quit or were hired by other news outlets.’ …” (emphasis mine)

It’s not as if unhappy contractors won’t have newsworthy tips, but what about unhappy Facebook employees? Where are they in either of Gizmodo’s pieces?
Details in the reporting reveal bias in the complainant(s) — So far I see one reference to a conservative curator, not multiple conservative curators.

“Facebook workers routinely suppressed news stories of interest to conservative readers from the social network’s influential “trending” news section, according to a former journalist who worked on the project.

[…]

Other former curators interviewed by Gizmodo denied consciously suppressing conservative news, and we were unable to determine if left-wing news topics or sources were similarly suppressed. The conservative curator described the omissions as a function of his colleagues’ judgements; there is no evidence that Facebook management mandated or was even aware of any political bias at work. …”

Note the use of “a” in front of “former journalist” and “the” in front of “conservative curator.” (Note also Gizmodo apparently needs a spell check app.)
No named sources confirming the validity of the complaints or other facts in Gizmodo’s reporting — Again, where are Facebook employees? What about feedback from any of the companies supplying contractors; did they not hear complaints from contractors they placed? There aren’t any apparent attempts to contact them to find out, let alone anonymous confirmation from these contract companies. There are updates to the piece yesterday afternoon and this morning, including feedback from Vice President of Search at Facebook, Tom Stocky, which had been posted at Facebook. Something about the lack of direct or detailed feedback to Gizmodo seems off.
Though named in the first of two articles, Facebook’s managing editor Benjamin Wagner does not appear to have been asked for comment. The May 3 piece quotes an unnamed Facebook spokesperson:

When asked about the trending news team and its future, a Facebook spokesperson said, “We don’t comment on rumor or speculation. As with all contractors, the trending review team contractors are fairly compensated and receive appropriate benefits.”

I’m disappointed that other news outlets picked up Gizmodo’s work without doing much analysis or followup. Reuters, for example, even parrots the same phrasing Gizmodo used, referring to the news curators as “Facebook workers” and not contract employees or contractors. Because of this ridiculous unquestioning regurgitation by outlets generally better than this, I felt compelled to write about my concerns.

And then there’s Gizmodo itself, which made a point of tweeting its report was trending on Facebook. Does Gizmodo have a beef with Facebook, too? Has it been curated out of Facebook’s news feed? Are these two pieces really about Facebook’s laundering of Gizmodo?

I don’t know; I can’t tell you because I don’t use Facebook. Not going to start now because of Gizmodo’s sketchy reporting on Facebook, of all things.

Miscellany
Just some odd bits read because today is as themeless as yesterday — lots of garbage out there.

SAS Confidential: Unpacking @AcademicsSay, Part 1 (SAS blog) — This is just good fun and yet it’s an incredibly educational collection of insights into the creation of a popular microblog. Worth a read.
Five Solomon Islands have sunk below sea level (CNN) — This climate change stuff isn’t bullshit. It’s affecting entire cultures with permanent displacement beginning now.
FCC and FTC want security patches from wireless providers yesterday (CNET) — If not sooner. Maybe these patches would have been done already if these firms hadn’t needed to redirect resources to responding to USDOJ’s encroachment on encryption…
Amazon’s new Video Direct goes after Google’s YouTube’s user-created videos (Investor’s Business Daily) — Amazon’s throwing out some monetary chum, too, offering to split a monthly pot of $1M among the creators of most popular videos. This could rock indie film distribution.

Skepticism: I haz it
As I read coverage about news reporting and social media leading up to the general election, I also keep in the back of my mind this Bloomberg report, How to Hack an Election:

As for Sepúlveda, his insight was to understand that voters trusted what they thought were spontaneous expressions of real people on social media more than they did experts on television and in newspapers. […] On the question of whether the U.S. presidential campaign is being tampered with, he is unequivocal. “I’m 100 percent sure it is,” he says.

Be more skeptical. See you tomorrow morning!

UPDATE — 1:30 P.M. EDT —

‏@CNBCnow
JUST IN: Senate Commerce Commtitte chair sends letter to Facebook’s Mark Zuckerberg seeking answers on alleged manipulation of trending news

ARE YOU FUCKING KIDDING ME WITH THIS? THE SENATE GOING TO WASTE TAX DOLLARS ON THIS WHEN EVERY. SINGLE. NEWS. OUTLET. USES EDITORIAL JUDGMENT TO DECIDE WHAT TO COVER AS NEWS?

Cripes, Gizmodo’s ~~poorly sourced hit~~ piece says,

“…In other words, Facebook’s news section operates like a traditional newsroom, reflecting the biases of its workers and the institutional imperatives of the corporation. …”

Yet the Senate is going to pursue this ~~bullshit~~ story after Gizmodo relied on ONE conservative curator-contractor — and their story actually says an algorithm is used?

Jeebus. Yet the Senate will ignore Sheldon Adelson’s acquisition of the biggest newspaper in Las Vegas in a possible attempt to denigrate local judges?

I can’t with this.

UPDATE — 3:35 P.M. EDT —
The Guardian reports the senator wasting our tax dollars questioning a First Amendment exercise by Facebook is John Thune. Hey! Guess who’s running for re-election as South Dakota’s senior senator? Why it’s John Thune! Nothing like using your political office as a free press-generating tool to augment your campaign. I hope Facebook’s algorithm suppresses this manufactured non-news crap.

DOJ Confirms One or More Agencies Acted Consistent with John Yoo’s Crummy Opinion

May 9, 2016/4 Comments/in Cybersecurity, EO 12333 /by emptywheel

There’s a whiff of panic in DOJ’s response to ACLU’s latest brief in the common commercial services OLC memo, which was submitted last Thursday. They really don’t want to release this memo.

As you recall, this is a memo Ron Wyden has been hinting about forever, stating that it interprets the law other than most people understand it to be. After I wrote about it a bunch of times and pointed out it was apparently closely related to cybersecurity, ACLU finally showed some interest and FOIAed, then sued, for it. In March, DOJ made some silly (but typical) claims about it, including that ACLU had already tried but failed to get the memo as part of their suit for Stellar Wind documents (which got combined with EPIC’s suit for electronic surveillance documents). In response, Ron Wyden wrote a letter to Attorney General Loretta Lynch, noting a lie DOJ made in DOJ’s filings in the case, followed by an amicus brief asking the judge in the case to read the secret appendix to the letter he wrote to Lynch. In it, Wyden complained that DOJ wouldn’t let him read his secret declaration submitted in the case (making it clear they’re being kept secret for strategic reasons more than sources and methods), but asking that the court read his own appendix without saying what was in it.

Which brings us to last week’s response.

DOJ is relying on an opinion the 2nd circuit released last year in ACLU’s Awlaki drone memo case that found that if a significant delay passed between the time an opinion was issued and executive branch officials spoke publicly about it — as passed between the time someone wrote a memo for President Bush’s “close legal advisor” in 2002 about drone killings (potentially of American citizens) and the time Executive branch officials stopped hiding the fact they were planning on drone-killing an American citizen in 2010, then the government can still hide the memo.(I guess we’re not allowed to learn that Kamal Derwish was intentionally, not incidentally, drone-killed in 2002?)

This is, in my understanding, narrower protection for documents withheld under the b5 deliberative privilege exemption than exists in the DC Circuit, especially given that the 2nd circuit forced the government to turn over the Awlaki memos because they had been acknowledged.

In other words, they’re trying to use that 2nd circuit opinion to avoid releasing this memo.

To do that they’re making two key arguments that, in their effort to keep the memo secret, end up revealing a fair amount they’re trying to keep secret. First, they’re arguing (as they did earlier) that the ACLU has already had a shot at getting this memo (in an earlier lawsuit for memos relating to Stellar Wind) and lost.

There’s just one problem with that. As I noted earlier, the ACLU’s suit got joined with EPIC’s, but they asked for different things. ACLU asked for Stellar Wind documents, whereas EPIC asked more broadly for electronic surveillance ones. So when the ACLU argued for it, they were assuming it was Stellar Wind, not something that now appears to (also) relate to cybersecurity.

Indeed, the government suggests the ACLU shouldn’t assume this is a “Terrorist Surveillance Program” document.

7 Plaintiffs conclude that the OLC memorandum at issue here must relate to the Terrorist Surveillance Program and the reauthorization of that program because the attorney who authored the memorandum also authored memoranda on the Terrorist Surveillance Program. Pls.’ Opp. at 10. The fact that two OLC memoranda share an author of course establishes nothing about the documents’ contents, nature, purpose, or effect.

Suggesting (though not stating) the memo is not about TSP is not the same as saying it is not about Stellar Wind or the larger dragnets Bush had going on. But it should mean ACLU gets another shot at it, since they were looking only for SW documents the last time.

Which is interesting given the way DOJ argues, much more extensively, that this memo does not amount to working law. It starts by suggesting Wyden’s filing arguing a “key assertion” in the government’s briefs is wrong.

3 Senator Wyden asks the Court to review a classified attachment to a letter he sent Attorney General Loretta Lynch in support of his claim that a “key assertion” in the Government’s motion papers is “inaccurate.” Amicus Br. at 4. The Government will make the classified attachment available for the Court’s review ex parte and in camera. For the reasons explained in this memorandum, however, the Senator’s claim of inaccuracy is based not on any inaccurate or incomplete facts, but rather on a fundamental misunderstanding of the “working law” doctrine.

In doing so, it reveals (what we already expected but which Wyden, but apparently not DOJ, was discreet enough not to say publicly) that the government did whatever this John Yoo memo said government could do.

But, it argues (relying on both the DC and 2nd circuit opinions on this) that just because the government did the same thing a memo said would be legal (such as, say, drone-killing a US person with no due process), it doesn’t mean they relied on the memo’s advice when they took that action.

The mere fact that an agency “relies” on an OLC legal advice memorandum, by acting in a manner that is consistent with the advice, Pls.’ Opp. at 11, does not make it “working law.” OLC memoranda fundamentally lack the essential ingredient of “working law”: they do not establish agency policy. See New York Times, 806 F.3d at 687; Brennan Center, 697 F.3d at 203; EFF, 739 F.3d at 10. It is the agency, and not OLC (or any other legal adviser), that has the authority to establish agency policy. If OLC advises that a contemplated policy action is lawful, and the agency considers the opinion and elects to take the action, that does not mean that the advice becomes the policy of that agency. It remains legal advice. 5

5 Nor could the fact that any agency elects to engage in conduct consistent with what an OLC opinion has advised is lawful possibly constitute adoption of that legal advice, because taking such action does not show the requisite express adoption of both the reasoning and conclusion of OLC’s legal advice. See Brennan Center, 697 F.3d at 206; Wood, 432 F.3d at 84; La Raza, 411 F.3d at 358.

Effectively, DOJ is saying that John Yoo wrote another stupid memo just weeks before he left, the government took the action described in the stupid memo, but from that the courts should not assume that the government took Yoo’s advice, this time.

One reason they’re suggesting this isn’t TSP (which is not the same as saying it’s not Stellar Wind) is because it would mean the government did not (in 2005, when Bush admitted to a subset of things called TSP) confirm this action in the same way Obama officials danced around hailing that they had killed Anwar al-Awlaki, which led to us getting copies of the memos used to justify killing him.

In short, the government followed Yoo’s advice, just without admitting they were following his shitty logic again.

Monday Morning: Scattered

May 9, 2016/18 Comments/in 2016 Election, 2016 Presidential Election, Culture, Cybersecurity /by Rayne

That’s how I feel this morning — my head feels like a bunch of scattered pictures lying on my bedroom floor. Can’t tell how much of this sensation is work hangover from a too-busy weekend, or a result of a themeless news morning.

Often as I browse my feeds I find narratives emerge on their own, bubbling up on their own. Today? Not so much. There are too many topics in flight, too many major stories juggled, too many balls in the air, everything’s a blur.

The biggest stories adrift and muddled are those in which elections are central:

U.S. primary season wrap-up and the general election ahead — and I’m not going to touch this topic with a 20-foot pole. Imma’ let better writers and statisticians handle it without me piling on.
The Philippines election — the leading candidate is alleged to encourage urban vigilante death squads to reduce crime.
Brexit — Britain votes on a referendum next month on whether to exit the EU. Brexit played a role in the election last week of London’s new mayor, Sadiq Khan, who also happens to be London’s first Muslim mayor.
Australia’s double-dissolution election — PM Malcolm Turnbull last week announced both the House of Representatives and the Senate would be dissolved and replaced in an election on July 2nd. Turnbull faces replacement depending on which party amasses the most power during the election. There have only been seven double dissolutions since Australia’s federation under its constitution in 1901.

Anyhoo…here’s some miscellaneous flotsam that caught my eye in today’s debris field.

Number of unique mobile device users: 5 BILLION (Tomi Ahonen) — Do read this blog post, the numbers are mind-boggling. And intelligence agencies want to map and store ALL of the communications generated by these numbers?
Browser company Opera just went after iOS market with VPN offering (PC World) — Opera already announced a free VPN to Windows and Linux users; today it targeted Apple users with a VPN for iOS (do note the limited country availability). Don’t feel left out, Android users, you’ll get a VPN offering from Opera soon.
Swarm of earthquakes detected at Mount St. Helens (KOMO) — The eight-week-long swarm has been likened to those in 2013 and 2014 due to fault slippage. An eruption may not be imminent.
Jihadi Gang Warfare (@thegruq at Medium) — A really good read about the Islamic militant gang in Brussels and how their amateurishness prevented even greater bloodshed in both Paris and Brussels. Unfortunately a primer on how not to do urban terror.
Google isn’t just feeding romance novels to its AI to teach it language (Le Monde) — ZOMG, it’s using them to teach it morals, too! That’s what Le Monde reported that Buzzfeed didn’t.

Valeurs morales

Deux chercheurs de Georgia Tech, Mark Riedl et Brent Harrison, vont encore plus loin. Selon eux, la littérature peut inculquer des valeurs morales à des programmes d’intelligence artificielle. « Nous n’avons pas de manuel rassemblant toutes les valeurs d’une culture, mais nous avons des collections d’histoires issues de ces différentes cultures », expliquent-ils dans leur article de recherche publié en février.

«Les histoires encodent de nombreuses formes de connaissances implicites. Les fables et les contes ont fait passer de génération en génération des valeurs et des exemples de bons comportements. (…) Donner aux intelligences artificielles la capacité de lire et de comprendre des histoires pourrait être la façon la plus efficace de les acculturer afin qu’elles s’intègrent mieux dans les sociétés humaines et contribuent à notre bien-être.»

Moral values

Two researchers from Georgia Tech, Mark Riedl and Brent Harrison, go even further. They believe literature can inculcate moral values in artificial intelligence programs. “We have no manual containing all the values of a culture, but we have collections of stories from different cultures,” they explain in their research article published in February.

“The stories encode many forms of implicit knowledge. Fables and tales were passing generation to generation the values and examples of good behavior. (…) Giving artificial intelligence the ability to read and understand stories may be the most effective way to acculturate them so they can better integrate into human society and contribute to our well-being.”

Gods help us, I hope they didn’t feed the AI that POS Fifty Shades of freaking Grey. Though I’d rather 90% of romance novels for morals over Lord of the Flies or The Handmaid’s Tale, because romance’s depiction of right and wrong is much more straightforward than in literary fiction, even the very best of it.

That’s quite enough trouble to kick off our week, even if it’s not particularly coherent. Catch you tomorrow morning!

Long-Serving Intelligence Executive: Sure, Government Has Been Thoroughly Pawned But What about Ordinary Citizens?

May 9, 2016/2 Comments/in Cybersecurity /by emptywheel

Three months after Obama rolled out a cybersecurity initiative backed by a piece in the WSJ, former Deputy Director of Defense Intelligence David Shedd has decided to critique it (the 3 month delay might have something to do with the fact that, in the interim, Shedd was getting beat up by DOD Inspector General over having created his own private limousine service).

In his op-ed, Shedd questions Obama’s embrace of a public-private partnership. He makes a good point that such government initiatives rely on voluntary participation. He insinuates that Obama ignores the contributions of Apple because of the fight over encryption.

How odd that the president didn’t even mention Apple among the other leading technology firms when it comes to cybersecurity. Apple, America’s (and the world’s) largest and most valuable technology firm, has led the industry in securing its products, a claim the others listed can’t stand by. But of course the president can’t mention Apple as a shining example of American cybersecurity, because his administration is entrenched in a political battle with the company over encryption.

It’s a fair dig. Except that’s the kind of anachronism I wouldn’t expect from a lifetime spook. It is true that Jim Comey was on the war path with Apple since the company made iPhone encryption standard in fall 2014. But things didn’t start ratcheting up until February 16, when DOJ got an All Writs Act to make Apple rewrite their operating system, after Obama wrote the op-ed that didn’t mention Apple.

Shedd then mocks Obama’s efforts to introduce more flexibility in hiring cybersecurity people. Here’s what Obama said:

We’ll do more—including offering scholarships and forgiving student loans—to recruit the best talent from Silicon Valley and across the private sector. We’ll even let them wear jeans to the office. I want this generation of innovators to know that if they really want to have an impact, they can help change how their government interacts with and serves the American people in the 21st century.

Here’s what Shedd (he of the personal limousine service) said:

While this proposal rightly addresses the need to recruit great talent, does the administration really think the ability to wear jeans is going to sway the best and brightest away from the pay in Silicon Valley?

Perhaps we’re all missing the metaphor of “wearing jeans” for smoking pot. But the truth is some people aren’t motivated primarily by personal limousine services; they would like to help the government. One real barrier to hiring talent — people like Ashkan Soltani — is something Shedd has been a very big player in: security clearances.

Which gets me to my real confusion about this piece.

First, even before he talks about how much better the tech industry, at least, is than the government on these issues, Shedd complains that there’s nothing in Obama’s policy for “everyday citizens or industry.”

It’s all well and good to talk about protecting U.S. innovation and giving every American a level of online security. But the president fails to suggest even a single solution that would impact everyday citizens or industry.

Then he lays out how absolutely incompetent the government has been in protecting itself.

[C]onsidering the fact that multiple government agencies, as well as the Justice and Homeland Security departments, have faced significant cyberattacks, this is an odd claim to make.

The most egregious breach took place less than a year ago, when the Office of Personnel Management suffered a huge data breach that continues to impact tens of millions of federal workers and contractors, including those with access to America’s most sensitive secrets. No one was fired over the incident. Is that accountability? In late February, the office’s chief information officer resigned just two days before having to testify before Congress.

The administration’s failed record in cybersecurity extends beyond the breaches on government systems. In a recent score card released by the House Oversight and Government Reform Committee, the majority of federal agencies received subpar, if not failing, grades on their cybersecurity posture.

Among the worst was the Department of Energy, which is charged with protecting our nation’s nuclear technology. Given that the Obama administration had seven years to meet its cybersecurity obligations, why should the American people believe anything will change with a new initiative?

Now, if the government is a cybersecurity sieve, then why is Shedd bitching that there’s nothing in Obama’s policy for “ordinary citizens” or the private industry companies that aren’t getting pawned? Shouldn’t locking down the nation’s nuclear secrets — a point I’ve emphasized — be a higher priority than saving Target from liability when its customers get their credit card data stolen (besides the fact, for customers who can afford an iPhone, as Shedd pointed out, Apple is already doing something)? In a purportedly capitalist society, should the government free private industry of all responsibility for its own security?

Crazier still, Shedd — who worked in Bush’s National Security Council until 2005, then moved to Director of National Intelligence, then in 2010 moved to DIA — is bitching that no one (aside from Katherine Archuleta) got fired for the OPM hack. In several of those positions, Shedd was in a place where he should have been one of the people asking why the security clearance data for 21 million people was readily available to be hacked — though no one in his immediate vicinity thought to ask those questions until 2013 and even then not including the non-intelligence agencies that might be CI problems. He was in a position when he may have — probably should have — reviewed some of the underlying database consolidation of clearance databases, including (at ODNI) identifying them as a counterintelligence threat.

A report published by the Office of the Director of National Intelligence provides some insight: In order to report security clearance volume levels, the National Counterintelligence and Security Center’s Special Security Directorate (SSD) “compiled and processed data from the three primary security clearance record repositories: ODNI’s Scattered Castles (SC); DoD’s Joint Personnel Adjudication System (JPAS); and the Office of Personnel Management’s (OPM) Central Verification System (CVS). To fulfill specific reporting requirements of the FY 2010 IAA, the SSD issued a special data call to the seven IC agencies with delegated authority to conduct investigations or adjudications.” The purpose of the data call was to consolidate security clearance data.

It’s probably not Shedd’s fault personally OPM got hacked, but some of the people who directly worked for him along the way may well bear responsibility.

Moreover, when he bitches about how so little has been accomplished in Obama’s 7 years, it ought to raise questions about why nothing got accomplished in his own decade of service in a position when he might have done something. Perhaps he spent years fighting with Obama (and before him Bush) to do something about the government’s cybersecurity, but if so, that’s what he should be talking about, not that Obama wants to make it easier for hackers to wear jeans to work.

Some of Shedd’s complaints are spot on. Just not coming, as they do, from someone who spent a decade in a position to address cybersecurity himself.

Friday Morning: Gypsy Caravan

May 6, 2016/26 Comments/in Culture, Cybersecurity /by Rayne

TIME, you old gipsy man,
Will you not stay,
Put up your caravan
Just for one day?

— excerpt, Time, You Old Gipsy Man by Ralph Hodgson

If last week’s Friday chamber jazz was most like me, this genre is next to it. Gypsy jazz is what my grandfather always hoped I’d learn to play; I learned to love Django Reinhardt with Stephane Grapelli at his knee. This stuff makes a bad day move along briskly, makes heavy hearts light. I don’t mind the added filip some smart ass added to the embedded video of Hot Club of Dublin featured here — seems fitting for the tune’s mood.

Unfortunately I have to be away from my desk this morning on a mission of mercy. If I’m stuck someplace with decent WiFi I will try to share a few things I’ve been reading. Otherwise use this as an open thread and tell me what you’ve got planned this weekend — hope it’s something fun!

Oops, last minute adders:

Facebook gets smacked by court for storing biometric content (Reuters) — I really dislike Facebook. Just thought I’d tack that on.

Athabasca tar sands south of Fort McMurray threatened by fire (CBC Calgary) — something-something karma-something

A few more adders:

Aussie company touting anti-Zika virus condoms and gel – what? (Sydney Melbourne Herald) — Are you kidding me? Just use a damned condom. Think about it: plain old condoms are recommended as protection against viral STDs like HIV.

Maps showing borders India doesn’t like may earn jail time and fines (QZ-India) — Wondering why this issue has bubbled up again, not that the border with Pakistan has ever been resolved to India’s satisfaction.

Carnegie Mellon team turn human skin into touch tech (The Verge) — Um, this was done back seven years ago by MIT, called “Sixth Sense,” and released as open source a year later. Still wondering why that tech wasn’t commercialized.

Thursday Morning: Burning Bright

May 5, 2016/13 Comments/in Culture, Cybersecurity /by Rayne

Tyger Tyger, burning bright,
In the forests of the night;
What immortal hand or eye,
Could frame thy fearful symmetry?

In what distant deeps or skies.
Burnt the fire of thine eyes?
On what wings dare he aspire?
What the hand, dare seize the fire?

— excerpt, The Tyger by William Blake

Props to Fort McMurray, Alberta, Canada, for evacuating a city under immediate threat of fire without any casualties directly attributable to the blaze. There was one death reported due to a vehicle accident, but it’s not clear the accident was caused by the fire or the evacuation process. I don’t know that an American city could have responded as quickly with the same results, but then Fort McMurray’s folks remember the Slave Lake wildfire five years ago in May 2011. Slave Lake, located roughly 250 miles southwest of Fort McMurray, was similarly forced to evacuate its 7,000 residents after 60 mph winds fanned a forest fire out of control and into the town.

In addition to expanded evacuation south of Fort McMurray, another wildfire in northern Alberta approximately 500 miles northwest of Fort McMurray forced evacuation of the town of High Level last evening. Fortunately, cooler weather will help battling this and Fort McMurray’s blaze; temperatures are expected to be 20 degrees cooler than the 88F degree high reached yesterday in Fort McMurray. There’s no rain in the forecast for nearly a week, though.

If you look at a satellite map of Alberta, you’ll note the areas surrounding these two municipalities actually had quite a bit of forest near them to their west (Fort McMurray is south of the Athabasca tar sands production site by a 30-minute drive). I’d like to know how much of this is boreal forest, which was once aggressively protected by Canada — before Alberta’s Stephen Harper became PM, that is. Despite the efforts of NGOs, expansion of the tar sands escalated dramatically from 2006 on. Now that oil prices have plummeted, production at Athabasca may drop, but too late to prevent damage to a wide swath of forest, not to mention the clearing done to support oil and gas development in northwestern Alberta. With the likelihood of wildfires throughout the rest of the summer running high, let’s hope the current Trudeau administration invests heavily in forest restoration efforts to replace growth lost to both fossil fuel production and to fire.

Reforestation is only a start, thought; additional protections going forward are needed as boreal forest is the largest carbon sink on earth, bigger than rain forests. We Americans don’t pay as much attention to Canadian deforestation because the country’s population is much smaller than Brazil. But Canada’s forests are critically important to reducing CO2, locking it up in trees and preserving it in bogs. We’re Canada’s largest trading partner and its largest consumer of wood products. We should be more aware and more responsible for our role in protecting Canada’s boreal forest.

Bits and pieces

Ford sinks cash into software company Pivotal (Detroit Free Press) — One of the many recent investment/partnerships with technology firms to augment vehicles’ features. Ford said it would have difficulty doing what Pivotal does. Let’s hope Pivotal is more conscious of cybersecurity than its automotive partners.
Former Apple employees to release new AI bot, VIV next week (Apple Insider) — Description sounds like Siri let out of the iPhone, or Amazon’s Alexa on Echo bot. Whatever it is, stay away from me with this stuff.
Nearly 300 million email account credentials floated in criminal underground (Reuters) — A massive collection including tens of millions of accounts on Yahoo, Microsoft, and Gmail email services was offered up in exchange for favorable comments in hacker forums. Something about this scenario sounds fishy, especially since the hacker first asked for 50 rubles (about one dollar) in exchange for all the compromised email accounts’ credentials. Some of the accounts belonged to banking, manufacturing, and retail personnel.
Has the revolution begun? Shareholders protest Reckitt Benckiser’s CEO compensation (Bloomberg) — Is this the beginning of a trend?

Your assignment today: check your area for wildfire or bushfire risk, and develop a personal evacuation strategy. Fortunately in my area we have standing water after nearly 24 hours of rain. Out of here, gang.

UPDATE — 2:00 P.M. EDT —
Fire’s still spreading across portions of Fort McMurray. Reporter vince McDermott believes he just lost his home this morning while he was at work. Must be just awful to cover a story affecting your community so dramatically and find yourself experiencing loss, too.