Posts

Friday Morning: Some Place Warm

Warm, like the Philippines, the home of the Manila sound. It’s Friday once again and today’s jazz genre is the precursor to Pinoy rock (like Freddie Aguilar’s Anak) and Pinoy hip hop (like Andrew E’s Binibirocha).

The Manila sound emerged under Ferdinand Marcos’ regime; wish I knew more about this body of work to identify songs which pushed the envelope politically. You can still hear the ghost-like impact more than 300 years of Spanish colonialism in some riffs, shaped by other Asian and American influences.

Think I’ll try a mix mix cocktail later today with a little more contemporary Filipino jazz.

Coincidentally, “mix mix” is an apt description for this morning’s post. A lot of smallish, unrelated items in my inbox today…

The canary that didn’t chirp
Reddit may have received a National Security Letter, based on the disappearance of a notice in transparency reporting which up to now indicated no NSLs had been received. Was an NSL sent to Reddit in response to an online discussion last year with Edward Snowden, Laura Poitras, and Glenn Greenwald? Or did some other content trigger a possible NSL?

Department of Homeland Security’s Cyber Security Division wants to fix open source software
“Hello, we’re from the government. We’re here to help you.” Uh-huh. Color me skeptical about this initiative intended to reduce vulnerabilities in open source software. when the government finds a way to insert itself into technology, it’s an opportunity for co-option and compromise. Can you say ‘backdoor’?

Fixing a problem with business iPhones may create a new one
A key reason the USDOJ went after Apple to crack the passcode on the San Bernardino shooter’s iPhone: poor or missing mobile device management software. Had the iPhone’s owner and issuer San Bernardino County installed an MDM app that could override the assigned user’s passcode, the FBI would have had immediate access to the iPhone’s contents. Employers are likely moving toward more and better MDM to prevent a future costly #AppleVsFBI situation. However, the new SideStepper malware is spreading and taking advantage of MDM’s ability to push software to enterprise-owned iPhones without the users’ approval.

FCC’s very busy Thursday

  • FCC approved a $9.25 monthly subsidy for Lifeline-eligible low-income folks to use on high-speed internet service. Now if only high-speed internet was less than $10/month, or available across the U.S. to all low-income citizens…there are still wide swaths of the U.S. where high-speed internet is simply a pipe dream, let alone adequate competition to keep prices within reach of the subsidy.
  • The subsidy’s approval came amid a lot of political scrambling and maneuvering due to conservatives’ resistance on spending (what a surprise, right?), though the investment should increase the number of users able to access state and federal programs online, reducing costs to operate them over the long run.
  • The FCC also voted to proceed with rulemaking on the handling of users’ personal information over ISPs. Privacy is currently regulated on telecommunications by the FCC, but not on ISPs. Implementing rules on ISPs substantially similar to telecoms may protect consumers’ privacy, which is otherwise wide open. It would also force more equitable competition between ISPs and telecoms on consumer communications services. Perhaps this makes it easier to understand why NBC and MSNBC — both owned by cable ISP company Comcast — have been completely in the tank for Donald Trump? (Might even explain why Trump was such an ass to Univision’s Jorge Ramos, as Comcast owns competitor Telemundo.)

Today in literacy

  • Participating in a book club could land you in prison in Angola (QZ) — There’s either more to this story, or Angola is incredibly repressive and ripe for trouble.
  • Fairy tales, now with more firearms (NPR) — The idiots at NRA think there’s not enough violence in fairy tales, so they’ve rewritten them with weapons added. Distorting the Constitution isn’t enough; why not distort children’s fiction, too?
  • Lawful Hacking: using Existing Vulnerabilities for Wiretapping on the Internet (Northwestern Journal of Technology and Intellectual Property) — Not a book, but a worthwhile read for infosec literacy.

Public Service Announcement: Backup/Alternate Site
You may have noticed the site’s connectivity going up and down; there’s some tinkering going on under the hood. If the site should go down for long, you can find our more recent content at this alternate site (bookmark for emergency use). If the site needs to stay down for longer periods of time for repairs or redesign, we’ll redirect traffic there. Comments left at the other site will not be ported back to this page, however, and the alternate location is not intended to replace this one though you may find you like the alternate site’s mobile version better.

That’s a wrap, I’m off to find some calamondins, or an approximation for a mix mix cocktail. Have a good weekend!

Tuesday Morning: Chasing the Clouds Away

Hope by this afternoon all the major thoroughfares are clear and transportation nearly back to normal along the east coast. You’d think by now we’d have developed and installed self-maintaining highways that melt ice and snow, right?

For now, let’s dig.

A former Goldman Sachs exec parts company with CenturyLink
They called it “creating an environment that was unproductive,” and maybe it was — a diversified telecom organization may not be a great fit for an investment banker, leading to some less-than-productive discussions. But a nearly unanimous vote said Joseph Zimmel, retired GS exec, should not apply for re-election to CenturyLink’s board of directors. Wonder if the rumored-but-not-completed acquisition of Rackspace had anything to do with this rocky situation?

Retail Mixed Bag: Wal-Mart retrenches, Staples rethinks, Shoes.com kicks butt
The Arkansas-based retailer is closing up its 102 Wal-Mart Express stores, as well as a few of its full-sized stores. Were the smaller stores simply too much overhead, or were they cannibalizing sales from larger stores, or did Amazon finally cut into Wal-Mart’s sales enough that Wal-Mart needed to reduce?

Staples, one of the two largest big box office supply retailers, changed up some of its senior management while indicating it may back out of its proposed merger with the other mega office supply retailer, Office Depot. The merger has not received approval yet from the USDOJ. This unresolved deal may be a bigger liability in terms of expense by now, especially when all retail sales have slowed down.

Shoes.com is looking for cash to make some acquisitions. This Canadian online shoe retailer is bucking the retail trend with a strong uptick in sales in spite of stiff competition from Zappos and Amazon.

All three retailers mirror a turn-down in consumption — even Shoes.com. If retail was doing well, there’d be less need to close brick-and-mortar stores or buy up market share.

Six GOP Senators suck up to ISPs while annoying broadband users
Quel surprise: a handful of GOP Senators sent a letter to the FCC saying that standard broadband speeds are arbitrary, and most users don’t need the current baseline speed.

I’d like to know why some tech media won’t name names. Fortunately, The Hill listed the signatories. Senators Roy Blunt (MO), Steve Daines (MT), Deb Fischer (NE), Cory Gardner (CO), Ron Johnson (WI) and Roger Wicker (MS) wrote,

“Looking at the market for broadband applications, we are aware of few applications that require download speeds of 25 Mbps … Netflix, for example, recommends a download speed of 5 Mbps to receive high-definition streaming video, and Amazon recommends a speed of 3.5 Mbps.”

The stupid, it burns almost as much as the visible corporate whoring. Like nobody in their world has multiple users in a household sharing service or online gamers or emerging technology which does need increasingly higher speeds. Hope these folks aren’t on committees for cybersecurity issues — wait, what? Every one of these six dipschitz is on the Senate Commerce Subcommittee on Communications, Technology, Innovation, and the Internet. ~screaming into pillow~

I can’t with this. I must change gears or go insane. Keep the wheels on the road, kids.

The White Paper’s Selective Forgetting on FCC Phone Record Retention History

In two different places, the White Paper justifying the Section 215 dragnet discusses the FCC’s requirements that telecoms retain phone records.

First, without describing what current requirements are or where they came from, it claims current requirements are insufficient to meet national security needs.

If not collected and held by the NSA, telephony metadata may not continue to be available for the period of time (currently five years) deemed appropriate for national security purposes because telecommunications service providers are not typically required to retain it for this length of time.

But then, later, it uses the FCC requirement that telecoms retain records for 18 months as part of its claim that it is no big deal that the government uses these orders to collect information prospectively.

Section 215 orders are not being used to compel a telecommunications service provider to retain information that the provider would otherwise discard, because the telephony metadata records are routinely maintained by the providers for at least eighteen months in the ordinary course of business pursuant to Federal Communications Commission regulations. See 47 C.F.R. § 42.6. In this context, the continued existence of the records and their continuing relevance to an international terrorism investigation will not change over the 90-day life of a FISC order.

It’s a pretty breathtaking selective reliance on FCC regulations. Because, as this post explains, the current 18-month retention requirement actually came about in response to a DOJ request in 1985 based, in part, on their need to access the records for the two purposes for which Section 215 can be used against Americans, terrorism and spying.

Not only does this federal regulation provide a legal retention obligation, but it is also unrelated to the “business purposes” of the telephone companies and in fact was promulgated by the FCC at the specific request of the DOJ in order to aid in terrorism investigations.  The retention period had previously been six months, but the DOJ petitioned the FCC to extend it precisely because such telephone records “are often essential to the successful investigation and prosecution of today’s sophisticated criminal conspiracies relating, for example, to terrorism . . . and espionage.” The FCC therefore extended the legal retention period for as long as the DOJ said was necessary.

DOJ/NSA/ODNI may believe that this regulation, which became effective in 1986, is outdated or no longer adequate, but pretending that it (and many similar state regulations) doesn’t exist or that those agencies couldn’t have done more to update or expand this regulation to suit the Executive branch’s current “needs” undermines their argument.

And, as the post further describes, at the precise moment when the government was rolling out the adoption of this use of Section 215 in 2006, the FCC asked but DOJ did not push for an extension of the retention requirements.

In fact, in early 2006, the FCC itself proactively solicited comments on the 18-month retention regulation and the DOJ submitted these comments which — in light of what we know now and the government’s current arguments — is rather remarkable.

First, the DOJ’s comments are dated April 28, 2006, which was reportedly just a month before the DOJ/FBI securedthe first Foreign Intelligence Surveillance Court order for bulk collection of U.S. telephone metadata for the NSA under the “business records” provision.

Second, while the DOJ noted problems with the regulation (including that “some” phone companies read it narrowly and argued it would not apply if certain billing methods were used) the DOJ nevertheless stressed the regulation’s continuing importance for counterterrorism, stating that telephone records were a “critical tool in the fight against global terrorism” that had “enabled . . . national security agencies to prevent terrorist acts and acts of espionage.” Moreover, the DOJ stressed its role in setting the legal retention period at 18 months.

Third, the DOJ in fact suggested — in a footnote, near the end — that the FCC “should explore” whether “the existing 18-month rule should be extended,” yet surprisingly the DOJ did not forcefully argue for such an extension.

Perhaps the second White Paper citation above reveals why: because, while DOJ didn’t want to simply extend the retention requirement to the 5-year period it claims it needs (because then it wouldn’t have an excuse to create its own database), it needed the existence of a retention requirement that was longer than its reauthorization period to justify the prospective collection of records (which is legally one of the most egregious parts of this practice).

But now that we know how the timing all fits together, DOJ’s actions in response FCC’s invitation for a longer deadline repeat the Bush Administration’s earlier implementation of the illegal wiretap program even as Congress was legislating changes to FISA: it shows there were more appropriate means of accomplishing the desired objective that the government chose not to use.

Mind you, one more thing is almost certainly going on: with expanded use of VOIP, the phrase “telecommunications service provider” has expanded meaning over what it had in 1985, and VOIP providers presumably present an entirely different set of records collection issues. And FCC regulations apply very differently to cable providers than they do to telecom providers.

All that said, it’d be nice if DOJ would just commit to whether these FCC regulations exist for the precise purpose that DOJ has chosen instead to use Section 215 for.