Trust the World's Fastest VPN with Your Internet Security & Freedom - A Lifetime Subscription of PureVPN at 88% off. Also, Slashdot's Facebook page has a chat bot now. Message it for stories and more. ×
Cellphones

Should International Travelers Leave Their Phones At Home? (freecodecamp.com) 455

Long-time Slashdot reader Toe, The sums up what he learned from freeCodeCamp's Quincy Larson: "Before you travel internationally, wipe your phone or bring/rent/buy a clean one." Larson's article is titled "I'll never bring my phone on an international flight again. Neither should you." All the security in the world can't save you if someone has physical possession of your phone or laptop, and can intimidate you into giving up your password... Companies like Elcomsoft make 'forensic software' that can suck down all your photos, contacts -- even passwords for your email and social media accounts -- in a matter of minutes.... If we do nothing to resist, pretty soon everyone will have to unlock their phone and hand it over to a customs agent while they're getting their passport swiped... And with this single new procedure, all the hard work that Apple and Google have invested in encrypting the data on your phone -- and fighting for your privacy in court -- will be a completely moot point.
The article warns Americans that their constitutional protections don't apply because "the U.S. border isn't technically the U.S.," calling it "a sort of legal no-man's-land. You have very few rights there." Larson points out this also affects Canadians, but argues that "You can't hand over a device that you don't have."
Electronic Frontier Foundation

Three Privacy Groups Challenge The FBI's Malware-Obtained Evidence (eff.org) 115

In 2015 the FBI took over a Tor-accessible child pornography site to infect its users with malware so they could be identified and prosecuted. But now one suspect is challenging that evidence in court, with three different privacy groups filing briefs in his support. An anonymous reader writes. One EFF attorney argues it's a classic case of an unreasonable search, which is prohibited by the U.S. Constitution. "If the FBI tried to get a single warrant to search 8,000 houses, such a request would unquestionably be denied." But there's another problem, since the FBI infected users in 120 different countries. "According to Privacy International, the case also raises important questions: What if a foreign country had carried out a similar hacking operation that affected U.S. citizens?" writes Computerworld. "Would the U.S. welcome this...? The U.S. was overstepping its bounds by conducting an investigation outside its borders without the consent of affected countries, the group said."
The FBI's evidence is also being challenged by the ACLU of Massachusetts, and the EFF plans to file two more challenges in March, warning that otherwise "the precedent is likely to impact the digital privacy rights of all Internet users for years to come... Courts need to send a very clear message that vague search warrants that lack the required specifics about who and what is to be searched won't be upheld."
Security

Can The Mayhem AI Automate Bug-Patching? (technologyreview.com) 23

"Now when a machine is compromised it takes days or weeks for someone to notice and then days or weeks -- or never -- until a patch is put out," says Carnegie Mellon professor David Brumley. "Imagine a world where the first time a hacker exploits a vulnerability he can only exploit one machine and then it's patched." An anonymous reader quotes MIT Technology Review: Last summer the Pentagon staged a contest in Las Vegas in which high-powered computers spent 12 hours trying to hack one another in pursuit of a $2 million purse. Now Mayhem, the software that won, is beginning to put its hacking skills to work in the real world... Teams entered software that had to patch and protect a collection of server software, while also identifying and exploiting vulnerabilities in the programs under the stewardship of its competitors... ForAllSecure, cofounded by Carnegie Mellon professor David Brumley and two of his PhD students, has started adapting Mayhem to be able to automatically find and patch flaws in certain kinds of commercial software, including that of Internet devices such as routers.

Tests are underway with undisclosed partners, including an Internet device manufacturer, to see if Mayhem can help companies identify and fix vulnerabilities in their products more quickly and comprehensively. The focus is on addressing the challenge of companies needing to devote considerable resources to supporting years of past products with security updates... Last year, Brumley published results from feeding almost 2,000 router firmware images through some of the techniques that powered Mayhem. Over 40%, representing 89 different products, had at least one vulnerability. The software found 14 previously undiscovered vulnerabilities affecting 69 different software builds. ForAllSecure is also working with the Department of Defense on ideas for how to put Mayhem to real world use finding and fixing vulnerabilities.

Privacy

Secret Rules Make It Pretty Easy For the FBI To Spy On Journalists (theintercept.com) 189

schwit1 shares with us a report on a 11-part series led by The Intercept reporter Cora Currier: Secret FBI rules allow agents to obtain journalists' phone records with approval from two internal officials -- far less oversight than under normal judicial procedures. The classified rules dating from 2013, govern the FBI's use of national security letters, which allow the bureau to obtain information about journalists' calls without going to a judge or informing the news organization being targeted. They have previously been released only in heavily redacted form. Media advocates said the documents show that the FBI imposes few constraints on itself when it bypasses the requirement to go to court and obtain subpoenas or search warrants before accessing journalists' information. The rules stipulate that obtaining a journalist's records with a national security letter requires the signoff of the FBI's general counsel and the executive assistant director of the bureau's National Security Branch, in addition to the regular chain of approval. Generally speaking, there are a variety of FBI officials, including the agents in charge of field offices, who can sign off that an NSL is "relevant" to a national security investigation. There is an extra step under the rules if the NSL targets a journalist in order "to identify confidential news media sources." In that case, the general counsel and the executive assistant director must first consult with the assistant attorney general for the Justice Department's National Security Division. But if the NSL is trying to identify a leaker by targeting the records of the potential source, and not the journalist, the Justice Department doesn't need to be involved. The guidelines also specify that the extra oversight layers do not apply if the journalist is believed to be a spy or is part of a news organization "associated with a foreign intelligence service" or "otherwise acting on behalf of a foreign power." Unless, again, the purpose is to identify a leak, in which case the general counsel and executive assistant director must approve the request.
Government

The US Border Patrol Is Checking Detainees' Facebook Profiles (cnet.com) 502

An anonymous reader quotes CNET: Border patrol agents are checking the Facebook accounts of people who are being held in limbo for approval to enter the U.S., according to a Saturday tweet by immigration lawyer Mana Yegani that was spotted by The Independent... Yegani, who is a member of the American Immigration Lawyers Association, told CNET that checking phones has been reported by other lawyers as part of the vetting process. "[G]oing through passengers phones from the seven banned countries happens when the individual is interrogated (put under extreme vetting)," Yegani said.

Yegani told The Independent that she and other lawyers have been fielding calls from people who are already cleared to live in America, but are getting stuck at the border regardless. "These are people that are coming in legally. They have jobs here and they have vehicles here," Yegani said in the report.

The EFF warns that "Fourth Amendment protection is not as strong at the border as it is in your home or office. This means that law enforcement can inspect your computer or electronic equipment, even if they have no reason to suspect there is anything illegal on it. An international airport, even if many miles from the actual border, is considered the functional equivalent of a border."
AI

Who's Responsible For Accidents Caused By Open Source Self-Driving Car Software? (ieee.org) 114

Here's the problem. "You could download Comma.ai's new open-source Python code from Github, grab the necessary hardware, and follow the company's instructions to add semi-autonomous capabilities to specific Acura and Honda model cars (with more vehicles to follow)," writes IEEE Spectrum. But then who's legally responsible if there's an accident? Long-time Slashdot reader Registered Coward v2 writes: While many legal experts agree OSS is "buyer beware" and that Comma.ai and its CEO Georg Hotz would not be liable, it's a gray area in the law. The software is release under the MIT OSS license and the Read Me contains the disclaimer "This is alpha-quality software for research purposes only... You are responsible for complying with local laws and regulatons." The U.S. Supreme Court, in a series of court cases in the 1990s, ruled open source code as free speech protected under the First Amendment of the U.S. Constitution.

The question is does that release the author(s) from liability. The EU has no EU wide rules on liability in such cases. One open question is even if the person who used the software could not sue, a third party injured by it might be able to since they are not a party to the license agreement.

An EFF attorney told HotHardware "Prosecutors and plaintiffs often urge courts to disregard traditional First Amendment protections in the case of software." But not everyone agrees. "Most legal experts that spoke with IEEE Spectrum -- and Hotz himself -- believe that if you use the company's code and something goes wrong, then it isn't liable for damages. You are."
Electronic Frontier Foundation

Three States Propose DMCA-Countering 'Right To Repair' Laws (ifixit.org) 225

Automakers are using the Digital Millennium Copyright Act to shut down tools used by car mechanics -- but three states are trying to stop them. An anonymous reader quotes IFixIt.Org: in 2014, Ford sued Autel for making a tool that diagnoses car trouble and tells you what part fixes it. Autel decrypted a list of Ford car parts, which wound up in their diagnostic tool. Ford claimed that the parts list was protected under copyright (even though data isn't creative work) -- and cracking the encryption violated the DMCA. The case is still making its way through the courts. But this much is clear: Ford didn't like Autel's competing tool, and they don't mind wielding the DMCA to shut the company down...

Thankfully, voters are stepping up to protect American jobs. Just last week, at the behest of constituents, three states -- Nebraska, Minnesota, and New York -- introduced Right to Repair legislation (more states will follow). These 'Fair Repair' laws would require manufacturers to provide service information and sell repair parts to owners and independent repair shops.

Activist groups like the EFF and Repair.org want to "ensure that repair people aren't marked as criminals under the DMCA," according to the site, arguing that we're heading towards a future with many more gadgets to fix. "But we'll have to fix copyright law first."
Security

Top Security Researchers Ask The Guardian To Retract Its WhatsApp Backdoor Report (technosociology.org) 70

Earlier this month The Guardian reported what it called a "backdoor" in WhatsApp, a Facebook-owned instant messaging app. Some security researchers were quick to call out The Guardian for what they concluded was irresponsible journalism and misleading story. Now, a group of over three dozen security researchers including Matthew Green and Bruce Schneier (as well as some from companies such as Google, Mozilla, Cloudflare, and EFF) have signed a long editorial post, pointing out where The Guardian's report fell short, and also asking the publication to retract the story. From the story: The WhatsApp behavior described is not a backdoor, but a defensible user-interface trade-off. A debate on this trade-off is fine, but calling this a "loophole" or a "backdoor" is not productive or accurate. The threat is remote, quite limited in scope, applicability (requiring a server or phone number compromise) and stealthiness (users who have the setting enabled still see a warning; "even if after the fact). The fact that warnings exist means that such attacks would almost certainly be quickly detected by security-aware users. This limits this method. Telling people to switch away from WhatsApp is very concretely endangering people. Signal is not an option for many people. These concerns are concrete, and my alarm is from observing what's actually been happening since the publication of this story and years of experience in these areas. You never should have reported on such a crucial issue without interviewing a wide range of experts. The vaccine metaphor is apt: you effectively ran a "vaccines can kill you" story without interviewing doctors, and your defense seems to be, "but vaccines do kill people [through extremely rare side effects]."
Red Hat Software

Interviews: Ask Red Hat CEO Jim Whitehurst A Question (redhat.com) 167

Jim Whitehurst joined Red Hat in 2008, as its valuation rose past $10 billion and the company entered the S&P 500. He believes that leaders should engage people, and then provide context for self-organizing, and in 2015 even published The Open Organization: Igniting Passion and Performance (donating all proceeds to the Electronic Frontier Foundation). The book describes a post-bureaucratic world of community-centric companies led with transparency and collaboration, with chapters on igniting passion, building engagement, and choosing meritocracy over democracy.

Jim's argued that Red Hat exemplifies "digital disruption," and recently predicted a world of open source infrastructure running proprietary business software. Fortune has already called Red Hat "one of the geekiest firms in the business," and their open source cloud computing platform OpenStack now competes directly with Amazon Web Services. Red Hat also sponsors the Fedora Project and works with the One Laptop Per Child initiative.

So leave your best questions in the comments. (Ask as many questions as you'd like, but please, one per comment.) We'll pick out the very best questions, and then forward them on for answers from Red Hat CEO Jim Whitehurst.
Electronic Frontier Foundation

2016 Saw A Massive Increase In Encrypted Web Traffic (eff.org) 91

EFF's "Deeplinks" blog has published nearly two dozen "2016 in Review" posts over the last nine days, one of which applauds 2016 as "a great year for adoption of HTTPS encryption for secure connections to websites." An anonymous reader writes: In 2016 most pages viewed on the web were encrypted. And over 21 million web sites obtained security certificates -- often for the first time -- through Let's Encrypt. But "a sizeable part of the growth in HTTPS came from very large hosting providers that decided to make HTTPS a default for sites that they host, including OVH, Wordpress.com, Shopify, Tumblr, Squarespace, and many others," EFF writes. Other factors included the support of Transport Layer Security (TLS) 1.3 by Firefox, Chrome, and Opera.
Other "2016 in Review" posts from EFF include Protecting Net Neutrality and the Open Internet and DRM vs. Civil Liberties. Click through for a complete list of all EFF "2016 in Review" posts.
AT&T

US Court Demands Documents On AT&T/Police Collaboration (eff.org) 48

"The federal government has not justified its excessive secrecy about the massive telephone surveillance program known as Hemisphere, a court ruled in an EFF Freedom of Information Act lawsuit on Thursday." schwit1 quotes the EFF announcement: As a result, the federal government must submit roughly 260 pages of previously withheld or heavily redacted records to the court so that it can review them and decide whether to make more information about Hemisphere public. Hemisphere is a partnership between AT&T and federal, state, and local law enforcement agencies that allows police almost real-time access to telephone call detail records. The program is both extremely controversial -- AT&T requires police to hide its use from the public -- and appears to violate our First and Fourth Amendment rights.
Government lawyers had argued the disputed documents were restricted to use at the federal level, but the court remained unconvinced, especially "after EFF demonstrated that many of them appeared to have been given to state and local law enforcement."
Electronic Frontier Foundation

EFF Begins Investigating Surveillance Technology Rumors At Standing Rock (eff.org) 147

Electronic Frontier Foundation has dispatched a team of technologists and lawyers to a protest site in Standing Rock, North Dakota, to investigate "several reports of potentially unlawful surveillance." An anonymous reader writes: The EFF has "collected anecdotal evidence from water protectors about suspicious cell phone behavior, including uncharacteristically fast battery drainage, applications freezing, and phones crashing completely," according to a recent report. "Some water protectors also saw suspicious login attempts to their Google accounts from IP addresses originating from North Dakota's Information & Technology Department. On social media, many reported Facebook posts and messenger threads disappearing, as well as Facebook Live uploads failing to upload or, once uploaded, disappearing completely."

The EFF reports "it's been very difficult to pinpoint the true cause or causes," but they've targeted over 20 law enforcement agencies with public records requests, noting that "Of the 15 local and state agencies that have responded, 13 deny having any record at all of cell site simulator use, and two agencies -- Morton County and the North Dakota State Highway Patrol (the two agencies most visible on the ground) -- claim that they can't release records in the interest of "public safety"...

"Law enforcement agencies should not be allowed to sidestep public inquiry into the surveillance technologies they're using," EFF writes, "especially when citizens' constitutional rights are at stake... It is past time for the Department of Justice to investigate the scope of law enforcement's digital surveillance at Standing Rock and its consequences for civil liberties and freedoms in the digital world."
Electronic Frontier Foundation

EFF: The Music Industry Shouldn't Be Able To Cut Off Your Internet Access (eff.org) 88

An anonymous reader quotes a report from Electronic Frontier Foundation: No one should have to fear losing their internet connection because of unfounded accusations. But some rights holders want to use copyright law to force your Internet service provider (ISP) to cut off your access whenever they say so, and in a case the Washington Post called "the copyright case that should worry all Internet providers," they're hoping the courts will help them. We first wrote about this case -- BMG v. Cox Communications -- when it was filed back in 2014, and last month, EFF, Public Knowledge (PK), and the Center for Democracy and Technology (CDT) urged the Court of Appeals for the Fourth Circuit to overturn a ruling that ISP Cox Communications was liable for copyright infringement. EFF, PK and CDT advised the court to consider the importance of Internet access in daily life in determining when copyright law requires an ISP to cut off someone's Internet subscription. The case turns in part on a provision in copyright law that gives internet intermediaries a safe harbor -- legal protection against some copyright infringement lawsuits -- provided they follow certain procedures. Online platforms like Facebook and YouTube, along with other internet intermediaries, have to "reasonably implement" a policy for terminating "subscribers and account holders" that are "repeat infringers" in "appropriate circumstances." But given the importance of Internet access, the circumstances where it's appropriate to cut off a home Internet subscription entirely are few and far between. The law as written is flexible enough that providers can design and implement policies that make sense for the nature of their service and their subscribers' circumstances. A repeat infringer policy for the company that provides your link to the Internet as a whole should take into account the essential nature of internet access and the severe harm caused by disconnection. But music publisher BMG wants to use this provision to force ISPs to become tougher enforcers of copyright law. According to BMG, ISPs should be required both to forward rights holders' threatening demand letters to their subscribers and terminate a subscriber's Internet access whenever rights holders allege that person has repeatedly violated copyright law. A subscriber is a "repeat infringer" and subject to termination, they argue, whenever they say so. Cox's appeal of the ruling raises two very important issues: (1) Who should be considered a "repeat infringer" who should be cut off from the Internet, and (2) whether ISPs must either cede to rights holders' demands or monitor their subscribers' internet habits to avoid liability. Slashdot reader waspleg adds: Two landmark Supreme Court cases, Metro-Goldwyn-Mayer Studios Inc. v. Grokster, Ltd., and Sony Corp. of America v. Universal Studios made clear that if a service is capable of significant lawful uses, and the provider doesn't actively encourage users to commit copyright infringement, the provider shouldn't be held responsible when someone nonetheless uses the service unlawfully.
Electronic Frontier Foundation

Why Did Japan Just Ratify The TPP? (businesstimes.com.sg) 225

The controversial Trans-Pacific Partnership can't go into effect without U.S. approval, Japan's Prime Minister Shinzo Abe has acknowledged. Yet despite president-elect Trump's promise to withdraw from the agreement -- Friday Japan's parliament voted to approve it. An anonymous reader quotes the Business Times. Was last Friday's vote simply a Quixotic tribute to a dying cause or -- as some are asking -- does Mr. Abe know something that others don't? They note that he is the only foreign leader to have met with the anointed heir to the U.S. presidency since the election result was announced. What went on in New York's Trump Tower during that "informal" meeting is unknown but some speculate that there may have been some equally informal -- but nonetheless significant -- dealmaking between the two men on the TPP. This seems quite possible, analysts say, because the TPP is of great importance to Japan and to Mr. Abe's grand design for Japan to remain a pivotal Asia-Pacific power.
The EFF has decried "the intense push to ram Internet issues into international law through the TPP," and complained Friday that Japan's newly-passed law "includes the extension of Japan's copyright term from 50 to 70 years after the death of the author, which makes today a very sad day for Japan's public domain."

And in addition, "There remains a risk that other TPP countries such as Singapore -- and even countries that weren't part of the original deal, such as Taiwan -- will soon also bring their domestic legislation into conformity with the requirements of this dead agreement."
Censorship

EFF Report Finds 74% Of Censorship News Stories Are About Facebook (onlinecensorship.org) 75

An anonymous reader writes: OnlineCensorship.org just released a new report "to provide an objective, data-driven voice in the conversation around commercial content moderation." They're collecting media reports about censorship on Facebook, Twitter, Instagram, YouTube, Flickr and Google+, and have now analyzed 294 reports of content takedowns -- 74% of which pertained to Facebook. (Followed by Instagram with 16% and Twitter with 7%.) 47% of all the takedowns were nudity-related, while the next two most frequent reasons given were "real name" violations and "inappropriate content".

Noting "a more visible public debate" over content moderation, the report acknowledges that 4.7 billion Facebook posts are made every day. (It also reports the "consistent refrain" from services apologizing for issues -- that "our team processes millions of reports each week...") But the most bizarre incident they've identified was the tech blogger in India who was locked out of his Facebook account in October because he shared a photo of a cat in a business suit. "It might sound stupid but this just happened to me," he told Mashable India, which reports Facebook later apologized and said it had made a mistake.

Their report -- part of the EFF's collaboration with Visualizing Impact -- urges platforms to clarify their guidelines (as well as applicable laws), to explain the mechanisms being used to evaluate content and appeals, and to share those criteria when notifying users of take-downs. For example, in August Facebook inexplicably removed a 16-century sketch by Erasmus of Rotterdam detailing a right hand.
Electronic Frontier Foundation

Humble Bundle Supports The EFF With A LEGO eBook Sale (humblebundle.com) 17

The EFF is describing it as "a break for your brain." An anonymous reader writes: Humble Bundle has announced a special "pay what you want" sale for four ebooks about LEGO from No Starch Press, with proceeds going to the Electronic Frontier Foundation, or to the charity of your choice. The ebooks include Beautiful LEGO (a compendium of creations by dozens of artists) and Medieval LEGO, which describes and recreates English history in the Middle Ages using LEGO blocks. Contributors who pay more than $8 also receive six more books, including "Forbidden LEGO" a more free-style building guide that one reviewer called "The Anarchist Cookbook of the nursery," as well as "The Cult of LEGO", a tour of the block-building community. And for a $15 donation, contributors receive six more ebooks -- bringing the total to 16 -- including The LEGO Christmas Ornaments Book and Steampunk LEGO.
Government

President Obama Gives Up On The Trans-Pacific Partnership (theguardian.com) 355

An anonymous reader quotes The Guardian: White House officials conceded on Friday that the president's hard-fought-for Trans-Pacific Partnership trade deal would not pass Congress, as lawmakers there prepared for the anti-global trade policies of President-elect Donald Trump. Earlier this week, congressional leaders in both parties said they would not bring the trade deal forward during a lame-duck session of Congress, before the formal transition of power on January 20.
One Canadian law professor had argued the case against the TPP included its unbalanced intellectual property rules and risks to privacy, while the EFF believed it locked in the worst parts of U.S. copyright law and also exported them to other countries.
Electronic Frontier Foundation

Aaron Swartz Remembered With Annual Hackathon In San Francisco (eff.org) 18

"This weekend you have the chance to add to Aaron Swartz's legacy by boosting tools for whistleblowers," the EFF writes. An anonymous reader quotes their report. The 2016 Aaron Swartz International Hackathon -- held in honor of the late Internet and political activist -- will take place during the day Saturday and Sunday at the Internet Archive in San Francisco. The hackathon will focus on whistleblower submission system SecureDrop, which was created by Swartz and Kevin Poulsen to connect media organizations and anonymous sources and is managed by the Freedom of the Press Foundation. This weekend's events -- timed to what would have been his 30th birthday on Nov. 8 -- will also feature a series of speakers on Saturday night, including SecureDrop's Conor Schaefer, Fight for the Future Co-founder Tiffiniy Cheng, and EFF Executive Director Cindy Cohn, as well as a special statement from Chelsea Manning.
Government

EFF Suggests Halloween Costume To Protest Facial Recognition Databases (eff.org) 65

An anonymous reader writes: EFF's list of costume ideas for digital rights activists include a Stingray costume, dressing up like a Privacy Badger (or a patent troll), and using facepaint to simulate the eerie digitization algorithms that are currently capturing images of your face for government databases. "Just this week we learned that facial recognition is far more prevalent among local and federal law enforcement than we thought, with at least 26 states using this biometric technology... To draw attention to this emerging threat to privacy, you can use your face painting skills to recreate the digitization algorithms on your own mug based on public records we and others have obtained from law enforcement agencies."
Sixteen states already grant the FBI access to their DMV databases, reports EFF, noting that it's "almost completely unregulated," with one study reporting that 50% of American faces are already in a government database.
Cellphones

Feds Walk Into a Building, Demand Everyone's Fingerprints To Open Phones (dailyherald.com) 432

An anonymous Slashdot reader quotes the Daily Herald: Investigators in Lancaster, California, were granted a search warrant last May with a scope that allowed them to force anyone inside the premises at the time of search to open up their phones via fingerprint recognition, Forbes reported Sunday. The government argued that this did not violate the citizens' Fifth Amendment protection against self incrimination because no actual passcode was handed over to authorities...

"I was frankly a bit shocked," said Andrew Crocker, a staff attorney at the Electronic Frontier Foundation, when he learned about the scope of search warrant. "As far as I know, this warrant application was unprecedented"... He also described requiring phones to be unlocked via fingerprint, which does not technically count as handing over a self-incriminating password, as a "clever end-run" around constitutional rights.

Slashdot Top Deals