CASCADES project: Cost-effective Outbreak Detection in Networks (Hello readers of the CMU Blog report)
CASCADES project: Cost-effective Outbreak Detection in Networks ( a study by School of Computer Science, Carnegie Mellon University): "Rankings are based on the following question: Which blogs should one read to be most up to date, i.e., to quickly know about important stories that propagate over the blogosphere?
If I can read 100 blogs, which should I read to be most up to date? Unit cost (each blog costs 1 unit), optimizing the information captured -- population affected (we want to be the first to know about something with many people blogging about the story after us)
For almost a decade, the American public has been told time and time again that some of our government's most controversial national security policies and programs are "secret." From warrantless wiretapping to the CIA's torture and "targeted killing" programs, the government has often insisted that our security requires secrecy, and that information about these programs is too sensitive to be shared with the public — even claiming state secrets to have the information shielded from judicial scrutiny.
But an op-ed in the LA Times today by the ACLU's Jameel Jaffer brings up a disturbing trend: Jameel points out numerous instances where the government insisted on secrecy in one context only to later disclose its supposed "secrets" in another – be it an interview with the media or a national book tour. Jameel discusses a recent interview with former CIA lawyer John Rizzo in Newsweek magazine in which Rizzo discusses the scope, process and methods of the CIA's "targeted killing" program — a highly controversial counterterrorism program that had previously been cloaked in official secrecy. Jameel writes:
Yesterday, I posted about how internet certification authorities will sign unqualified names, which have no meaning on the internet.
In addition to unqualified names being meaningless — or, worse than meaningless — there are also meaningless fully-qualified names. And, yes, CAs will sign those names too.
As you may know, the internet domain name system (DNS) has a hierarchical structure: at the top are the top-level domains (TLDs) like .com, .org, and .net. Additionally, each two-letter ISO country code like UK, JP, and CN is also a valid country-code TLD (ccTLD). Finally, there are the lesser-known TLDs like .mobi, .museum, and .int.
Although you can register most any name (that contains letters, numbers, dashes, and arguably underscores) underneath the TLDs, the set of TLDs is fixed. Although ICANN might someday approve a .mars TLD for the red planet, they have not yet done so. If you try to browse to www.olympus-mons.mars, you won’t get anywhere. (Yet.)
The authorities may seize laptops, cameras and other digital devices at the U.S. border without a warrant, and scour through them for days hundreds of miles away, a federal appeals court ruled.
The 2-1 decision (.pdf) Wednesday by the 9th U.S. Circuit Court of Appeals comes as the government is increasingly invoking its broad, warrantless search-and-seizure powers at the U.S. border to probe the digital lives of travelers.
Under the “border search exception” of United States law, international travelers, including U.S. citizens, can be searched without a warrant as they enter the country. Under the Obama administration, law enforcement agents have aggressively used this power to search travelers’ laptops, sometimes copying the hard drive before returning the computer to its owner.
Courts have ruled that such laptop searches can take place even in the absence of any reasonable suspicion of wrongdoing, and more than 6,500 persons have had their electronic devices searched in this manner since October 2008.
The Obama administration is urging Congress not to adopt legislation that would impose constitutional safeguards on Americans’ e-mail stored in the cloud.
As the law stands now, the authorities may obtain cloud e-mail without a warrant if it is older than 180 days, thanks to the Electronic Communications Privacy Act adopted in 1986. At that time, e-mail left on a third-party server for six months was considered to be abandoned, and thus enjoyed less privacy protection. However, the law demands warrants for the authorities to seize e-mail from a person’s hard drive.
A coalition of internet service providers and other groups, known as Digital Due Process, has lobbied for an update to the law to treat both cloud- and home-stored e-mail the same, and thus require a probable-cause warrant for access. The Senate Judiciary Committee held a hearing on that topic Tuesday.
The companies — including Google, AOL and AT&T — maintain that the law should be changed to reflect that consumers increasingly access their e-mail on servers, instead of downloading it to their hard drives, as a matter of course.
But the Obama administration testified that imposing constitutional safeguards on e-mail stored in the cloud would be an unnecessary burden on the government. Probable-cause warrants would only get in the government’s way.
Do federal judges have the power to reduce jury awards in copyright-infringement cases?
The Obama administration and the Recording Industry Association of America don’t think so. They argued that point Monday before a three-judge panel of the 1st U.S. Circuit Court of Appeals in Boston, which has released a 41-minute audio recording (.mp3) of the hearing.
They were urging the circuit to reinstate a $675,000 file sharing verdict that a Boston jury levied against Joel Tenenbaum, the nation’s second defendant to go to trial against the RIAA in an individual file sharing case. U.S. District Judge Nancy Gertner reduced the verdict to $67,500 last year.
As several Tor project authors, Ben Adida and many others have written, our certificate authority infrastructure has the flaw that any one CA, anywhere on the planet, can issue a certificate for any web site, anywhere else on the planet. This was tolerable when the only game in town was VeriSign, but now that's just untenable. So what solutions are available?
First, some non-solutions: Extended validation certs do nothing useful. Will users be properly trained to look for the extra changes in browser behavior as to scream when they're absent via a normal cert? Fat chance. Similarly, certificate revocation lists buy you nothing if you can't actually download them (a notable issue if you're stuck behind the firewall of somebody who wants to attack you).
A straightforward idea is to track the certs you see over time and generate a prominent warning if you see something anomalous. This is available as a fully-functioning Firefox extension, Certificate Patrol. This should be built into every browser.
When legal issues light up the Internet, people turn to EFF for answers. Whether it’s attacks on coders' rights, overreaching copyright claims online, or governments' efforts to censor or spy on people, we are often among the first to hear about troubling events online, and we're frequently the first place people turn to for legal help.
So why are there times when EFF is involved in an important case but is silent or gives only limited information about it? Usually it’s for one of three reasons: to protect the people who have asked us for help, because of a specific court requirement or because we’re putting the strategy into place.
Hugh Pickens writes writes "The Examiner reports that Wisconsin Republicans claim that no one else can republish a video of United States Representative Sean Duffy (R-WI) complaining about how he is 'struggling' to get by on his $174,000 salary without their permission, even though they originally released the video on YouTube for the whole world to see and now the GOP is trying to take legal action to stop anyone else from republishing the video. The tape caused a stir for Duffy, a first-term conservative best known for his past as a reality TV show star on MTV's The Real World after Democrats flagged the comments about his taxpayer-funded salary which is nearly three times the median income in Wisconsin and criticisms began to flow Duffy's way. Here's a one-minute clip, excerpted from roughly 45 minutes of video of the public Duffy townhall, that the Polk County GOP doesn't want anyone to see."
An anonymous reader writes "Creepy, a package described as a 'geolocation information aggregator,' is turning heads in privacy circles, but should people be worried? Yiannis Kakavas explains why he developed his scary stalking application. Creepy is a software package for Linux or Windows — with a Mac OS X port in the works — that aims to gather public information on a targeted individual via social networking services in order to pinpoint their location. It's remarkably efficient at its job, even in its current early form, and certainly lives up to its name when you see it in use for the first time."
An anonymous reader writes "Boston College has a funny idea of what constitutes copyright infringement. It has a list of what might be called 'you might be a copyright infringer if...' with the sort of things you might expect, such as using file sharing programs or sending mp3s to friends. But some have noticed something odd. Included on the list is using a wireless router in your dorm. Yes, just using a wireless router. Not using it for anything. But just using such a router is considered a sign of infringement. Nice to see our top colleges and universities teaching students completely made up things."
The hack that resulted in Comodo creating certificates for popular e-mail providers including Google Gmail, Yahoo Mail, and Microsoft Hotmail has been claimed as the work of an independent Iranian patriot. A post made to data sharing site pastebin.com by a person going by the handle “comodohacker” claimed responsibility for the hack and described details of the attack. A second post provided source code apparently reverse-engineered as one of the parts of the attack.
The National Security Agency has been called in to help investigate recent hack attacks against the company that runs the Nasdaq stock market, according to a news report.
The agency’s precise role in the investigation hasn’t been disclosed, but its involvement suggests the October 2010 attacks may have been more severe than Nasdaq OMX Group has admitted, or it could have involved a nation state, according to sources who spoke with Bloomberg News.
“By bringing in the NSA, that means they think they’re either dealing with a state-sponsored attack, or it’s an extraordinarily capable criminal organization,” Joel Brenner, former head of U.S. counterintelligence in the Bush and Obama administrations, told the publication. He added that the agency rarely gets involved in investigations of company breaches.
The NSA was called in by Google last year to help the company secure its network after it was targeted in a sophisticated attack.
Regarding the Nasdaq breach, in addition to the Secret Service, the FBI and the NSA, unidentified foreign intelligence agencies are also reportedly assisting in the probe.
On March 7, Camelot Distribution Group, an obscure film company in Los Angeles, unveiled its latest and potentially most profitable release: a federal lawsuit against BitTorrent users who allegedly downloaded the company’s 2010 B-movie revenge flick Nude Nuns With Big Guns between January and March of this year. The single lawsuit targets 5,865 downloaders, making it theoretically worth as much as $879,750,000 — more money than the U.S. box-office gross for Avatar.
At the moment, the targets of the litigation are unknown, even to Camelot. The mass lawsuit lists the internet IP addresses of the downloaders (.pdf), and asks a federal judge to order ISPs around the country to dig into their records for each customer’s name.
It’s the first step in a process that could lead to each defendant getting a personalized letter in the mail from Camelot’s attorneys suggesting they settle the case, lest they wind up named in a public lawsuit as having downloaded Nude Nuns With Big Guns.
A hearing on that request is set for April 13. In all probability none of the alleged downloaders know it’s happening.
As I noted in a previous post, the two Bush administration surveillance memos we obtained last Friday are very heavily redacted. They’re interesting nonetheless.
The first memo, written by Office of Legal Counsel lawyer John Yoo in November 2001, contends that the president has authority as Commander in Chief of the Armed Forces to disregard the Foreign Intelligence Surveillance Act (FISA), a statute that “purports” (Yoo’s word) to regulate government surveillance. It also contends that Congress doesn’t have the power to regulate the president’s authority to gather intelligence for national security purposes. And it contends that intelligence gathering in support of military operations “does not trigger constitutional rights against illegal searches and seizures.” These are radical and insupportable claims, but they’re consistent with the claims that Yoo made in other OLC memos.
As many — EFF included — have been saying for years, filesharing is not the reason that the recording industry has fallen on hard financial times. In fact, the recording industry’s complaints that the sky is falling really only apply to the recording industry, and not musicians and the fans, who have seen increased music purchases, increased artist salaries, and the availability of more music than ever before. And now two new reports further debunk the recording industry's myth.
First, the London School of Economics released a paper finding that while filesharing may explain some of the decline in sales of physical copies of recorded music, the decline “should be explained by a combination of factors such as changing patterns in music consumption, decreasing disposable household incomes for leisure products and increasing sales of digital content through online platforms.” And even if the sales of recorded music are down, there is an important distinction to draw: the recording industry may be hurting, but the music industry is thriving. For example, the LSE paper points out that in the UK in 2009, the revenues from live music shows outperformed recorded music sales.
ACLU and EFF Appeal Ruling In Case Challenging Government Attempt To Obtain Private Data in WikiLeaks Investigation
Alexandria, VA - The Electronic Frontier Foundation (EFF) and the American Civil Liberties Union (ACLU) today appealed a ruling that the government can collect the private records of three Twitter users as part of its investigation related to WikiLeaks. The ruling further held that the users cannot learn which other Internet companies were ordered to turn over information about them to the government. EFF and the ACLU are challenging the ruling on behalf of Birgitta Jonsdottir, an Icelandic parliamentarian who is appealing jointly with fellow Twitter users Jacob Appelbaum and Rop Gonggrijp.
The secret government demands for information about the subscribers' communications came to light only because Twitter took steps to ensure its customers were notified and had the opportunity to respond. The ACLU and EFF have also asked the court to make public any similar orders to any other companies.
"Except in very rare circumstances, the government should not be permitted to obtain information about individuals' private Internet communications in secret. This is not one of those circumstances," said Aden Fine, staff attorney with the ACLU Speech, Privacy and Technology Project. "If the ruling is allowed to stand, our client might never know how many other companies have been ordered to turn over information about her, and she may never be able to challenge the invasive requests."
"Services like Twitter have information that can be used to track us and link our communications across multiple services including Facebook and Gmail," said EFF Legal Director Cindy Cohn. "The Magistrate's ruling that users have no ability to protect that information from the U.S. government is especially troubling."
Iranian hackers obtain fraudulent HTTPS certificates: How close to a Web security meltdown did we get?
On March 15th, an HTTPS/TLS Certificate Authority (CA) was tricked into issuing fraudulent certificates that posed a dire risk to Internet security. Based on currently available information, the incident got close to — but was not quite — an Internet-wide security meltdown. As this post will explain, these events show why we urgently need to start reinforcing the system that is currently used to authenticate and identify secure websites and email systems.
There is a post up on the Tor Project's blog by Jacob Appelbaum, analyzing the revocation of a number of HTTPS certificates last week. Patches to the major web browsers blacklisted a number of TLS certificates that were issued after hackers broke into a Certificate Authority. Appelbaum and others were able to cross-reference the blacklisted certificates' serial numbers against a comprehensive collection of Certificate Revocation Lists (these CRL URLs were obtained by querying EFF's SSL Observatory databases) to learn which CA had been affected.
The answer was the UserTrust "UTN-USERFirst-Hardware" certificate owned by Comodo, one of the largest CAs on the web. Comodo has now published a statement about the improperly issued certs, which were for extremely high-value domains including google.com, login.yahoo.com and addons.mozilla.org (this last domain could be used to trojan any system that was installing a new Firefox extension, though updates to previously installed extensions have a second layer of protection from XPI signatures). One cert was for "global trustee" — not a domain name. That was probably a malicious CA certificate that could be used to flawlessly impersonate any domain on the Web.
Trailrunner7 writes "Just days after news emerged of the attack on a registration authority in Europe tied to Comodo that caused the revocation of a number of fraudulent certificates from the major browsers, Mozilla officials have admitted they made a mistake by not disclosing the details of the incident to its users earlier. 'In hindsight, while it was made in good faith, this was the wrong decision. We should have informed web users more quickly about the threat and the potential mitigations as well as their side-effects.'"
Yesterday, Microsoft released version 9 of Internet Explorer, which includes two significant new privacy features: Tracking Protection Lists (TPLs) and a Do Not Track (DNT) header that allows users to request that websites not track them. We've written about the virtues of the Do Not Track header previously. In this post we'll look more closely at privacy blocklists, a category of technologies that includes the popular AdBlock Plus browser extension and the new IE9 Tracking Protection Lists.
These lists are an important type of privacy technology, with distinct advantages over other approaches. They also have a number of inherent limitations, which makes them natural complements, rather than alternatives, to DNT.
Advantages of Privacy Blocklists
One of the central pledges of Barack Obama's campaign was that -- as he put it early in his presidency -- the Bush administration had gone wildly wrong because it "established an ad hoc legal approach for fighting terrorism that was neither effective nor sustainable -- a framework that failed to rely on our legal traditions and time-tested institutions; that failed to use our values as a compass." Instead, he implored, we must fight Terrorism only "with an abiding confidence in the rule of law and due process, in checks and balances and accountability." Thus, he thunderously vowed, "We must never -- ever -- turn our back on its enduring principles for expedience sake."
The number of instances in which Obama has violently breached his own alleged principles when it comes to the War on Terror and the rule of law are too numerous to chronicle in one place. Suffice to say, it is no longer provocative or controversial when someone like Yale Law Professor Jack Balkin writes, as he did the other day, that Obama "has more or less systematically adopted policies consistent with the second term of the George W. Bush Administration." No rational person can argue that or even tries to any longer. It's just a banal expression of indisputable fact.
Today, the Obama DOJ unveiled the latest -- and one of the most significant -- examples of its eagerness to assault the very legal values Obama vowed to protect. The Wall Street Journal reports that "new rules allow investigators to hold domestic-terror suspects longer than others without giving them a Miranda warning, significantly expanding exceptions to the instructions that have governed the handling of criminal suspects for more than four decades."
Today, the public learned of a previously undisclosed compromise of a trusted Certificate Authority -- one of the entities that issues certificates attesting to the identity of "secure" web sites. Last week, Comodo quietly issued a command via its certificate revocation servers designed to tell browsers to no longer accept 9 certificates. This is fairly standard practice, and certificates are occasionally revoked for a variety of reasons. What was unique about this case is that it was followed by very rapid updates by several browser manufacturers (Chrome, Firefox, and Internet Explorer) that go above and beyond the normal revocation process and hard-code the certificates into a "do not trust" list. Mozilla went so far as to force this update in as the final change to their source code before shipping their major new release, Firefox 4, yesterday.
This implied that the certificates were likely malicious, and may even been used by a third-party to impersonate secure sites.
An anonymous reader writes "The folks over at Lockheed Martin have just released information about their new covert robot that can sneak up on buildings, detect and evade sentries, and send reconnaissance information back to the good guys. From the article: 'What makes the robot special is its ability to build a computer model of its surroundings, incorporating information on lines of sight. The robot is fitted with a laser scanner to allow it to covertly map its environment in 3D. It also has a set of acoustic sensors which it uses to distinguish nearby footsteps and their direction.'"
cultiv8 writes "Under the system, state and local police officers also will eventually use hand-held devices to scan suspects' fingerprints and send the images electronically to the FBI center. 'It's a quick scan to let police officers know if they should let the person go, or take him into custody,' Morris said. In later stages, NGI system also will be expanded to include the analysis of palm prints, handwriting, faces, human irises and voices."
It’s easy to forget these days, but former President George W. Bush’s illegal warrantless surveillance program was never halted by Congress, nor by the Obama administration. It was merely legalized in a 2008 law called the FISA Amendments Act. That means the surveillance of Americans’ international phone calls and internet use — complete with secret rooms in AT&T data centers around the country — is likely still ongoing.
On Monday, a federal appeals court reinstated a key legal challenge to that surveillance: a lawsuit filed by the ACLU and others within hours of the FISA Amendments Act (.pdf) being signed into law. The lawsuit attacks the constitutionality of the legislation, which allows the government to electronically eavesdrop on Americans without a probable-cause warrant, so long as one of the parties to the communication resides outside the United States, and is suspected of a link to terrorism.
The decision by the 2nd U.S. Circuit Court of Appeals means the ACLU, and other rights groups involved in the suit, might get their day in court. “This is a really big victory,” said ACLU spokeswoman Rachel Myers. “The ruling is that you don’t have to prove you’ve been spied on to challenge an unlawful spy act.”