Category Archives: Internet

CanuckRadio.com: 100% Canadian Hits

by The Walrus on May 11, 2016, no comments

There’s a new internet radio station on the scene, and they play absolutely nothing by Canadian music.  As a patriotic citizen of this proud home an native land we can Canada, I’m VERY happy to have this new listening option.  CBC’s talk get’s a little tiresome after awhile and they rarely rock as hard.  So […]

Free Customer WiFi in the Annapolis Valley, Nova Scotia

by The Walrus on March 30, 2016, no comments

My company has an introductory offer right now on managed Free Customer WiFi systems.  It’s secure, plug-and-play, and best of all, you don’t have to do a thing.  No memorizing passwords or giving out special cards with connection info.  Your customers can just connect to the WiFi, plug their email address in your little customized […]

Senate Intelligence Committee Advances Terrible “̶C̶y̶b̶e̶r̶s̶e̶c̶u̶r̶i̶t̶y̶”̶ ̶B̶i̶l̶l̶ Surveillance Bill in Secret Session

by News on March 19, 2015, no comments

The Senate Intelligence Committee

Cybersecurity bills aim to facilitate information sharing between companies and the government, but their broad immunity clauses for companies, vague definitions, and aggressive spying powers make them secret surveillance bills. CISA marks the fifth time in as many years that Congress has tried to pass “cybersecurity” legislation. Join us now in killing this bill.

The newest Senate Intelligence bill joins other cybersecurity information sharing legislation like Senator Carper’s Cyber Threat Sharing Act of 2015. All of them are largely redundant. Last year, President Obama signed Executive Order 13636 (EO 13636) directing the Department of Homeland Security (DHS) to expand current information sharing programs. In February, he signed another Executive Order encouraging regional cybersecurity information sharing and creating yet another Cyber Threat Center. Despite this, members of Congress like Senators Dianne Feinstein and Richard Burr continue to introduce bills that would destroy privacy protections and grant new spying powers to companies.

New Countermeasures and Monitoring Powers

Aside from its redundancy, the Senate Intelligence bill grants two new authorities to companies. First, the bill authorizes companies to launch countermeasures (now called “defensive measures” in the bill) for a “cybersecurity purpose” against a “cybersecurity threat.” “Cybersecurity purpose” is so broadly defined that it means almost anything related to protecting (including physically protecting) an information system, which can be a computer or software. The same goes for a “cybersecurity threat,” which includes anything that “may result” in an unauthorized effort to impact the availability of the information system.

Even with the changed language, it’s still unclear what restrictions exist on “defensive measures.” Since the definition of “information system” is inclusive of files and software, can a company that has a file stolen from them launch “defensive measures” against the thief’s computer? What’s worse, the bill may allow such actions as long as they don’t cause “substantial” harm. The bill leaves the term undefined. If true, the countermeasures “defensive measures” clause could increasingly encourage computer exfiltration attacks on the Internet—a prospect that may appeal to some “active defense” (aka offensive) cybersecurity companies, but does not favor the everyday user.

Second, the bill adds a new authority for companies to monitor information systems to protect an entity’s hardware or software. Here again, the broad definitions could be used in conjunction with the monitoring clause to spy on users engaged in potentially innocuous activity. Once collected, companies can then share the information, which is also called “cyber threat indicators,” freely with government agencies like the NSA.

Sharing Information with NSA

Such sharing will occur because under this bill, DHS would no longer be the lead agency making decisions about the cybersecurity information received, retained, or shared to companies or within the government. Its new role in the bill mandates DHS send information to agencies—like the NSA—”in real-time.” The bill also allows companies to bypass DHS and share the information immediately with other agencies, like the intelligence agencies, which ensures that DHS’s current privacy protections won’t be applied to the information. The provision is ripe for improper and over-expansive information sharing.

Overbroad Use of Information

Once the information is sent to any government agency (including local law enforcement), it can use the information for reasons other than for cybersecurity purposes. The provisions grant the government far too much leeway in how to use the information for non-cybersecurity purposes. The public won’t even know what information is being collected, shared, or used because the bill will exempt all of it from disclosure under the Freedom of Information Act.

In 2012, the Senate negotiated a much tighter definition in Senator Lieberman’s Cybersecurity Act of 2012. The definition only allowed law enforcement to use information for a violation of the Computer Fraud and Abuse Act, an imminent threat of death, or a serious threat to a minor. The Senate Intelligence Committee’s bill—at the minimum—should’ve followed the already negotiated language.

Near-Blanket Immunity

The bill also retains near-blanket immunity for companies to monitor information systems and to share the information as long as it’s conducted according to the act. Again, “cybersecurity purpose” rears its ugly overly broad head since a broad range of actions conducted for a cybersecurity purpose are allowed by the bill. The high bar immunizes an incredible amount of activity. Existing private rights of action for violations of the Wiretap Act, Stored Communications Act, and potentially the Computer Fraud and Abuse Act would be precluded or at least sharply restricted by the clause. It remains to be seen why such immunity is needed when just a few months ago, the FTC and DOJ noted they would not prosecute companies for sharing such information. It’s also unclear because we continue to see companies freely share information among each other and with the government both publicly via published reports, information sharing and analysis centers, and private communications.

A Fatally Flawed Bill

This fatally flawed bill must be stopped. It’s not a cybersecurity, but a surveillance bill. And it can be voted on at any time. Get in touch with your Senator, tell them to vote no on the bill, and to not cosponsor the Senate Intelligence Committee’s Cybersecurity Information Sharing Act of 2014.

Related Issues:

Share this: Share on Facebook Share on Google+ Share on Diaspora || Join EFF

Guess Who Wasn’t Invited to the CIA’s Hacker Jamboree?

by News on March 10, 2015, no comments

TCB graphic

Apple, that’s who. Or Microsoft, or any of the other vendors whose products US government contractors have successfully exploited according to a recent report in the Intercept. While we’re not surprised that the Intelligence Community is actively attempting to develop new spycraft tools and capabilities—that’s their job—we expect them to follow the administration’s rules of engagement. Those rules require an evaluation under what’s known as the “Vulnerabilities Equities Process.” In the White House’s own words, the process should usually result in disclosing software vulnerabilities to vendors, because “in the majority of cases, responsibly disclosing a newly discovered vulnerability is clearly in the national interest.”

Nevertheless, the Intercept article describes an annual CIA conference known as the Trusted Computing Base (TCB) Jamboree1 at which members of the intelligence community present extensively on software vulnerabilities and exploits to be used in spying operations. At the 2012 TCB Jamboree, presenters from Sandia National Laboratories, which is a contractor for the Department of Energy, described an attack on Xcode, the Apple software used to compile applications in Mac OS X and iOS. The “whacked” Xcode exploit, called Strawhorse, enables intelligence agents to implant a version of Xcode on developers’ computers which, unbeknownst to the developers, would cause software they compile to include a backdoor or other compromise. If successful, the attack could enable a range of surveillance-friendly applications to be covertly made available to the public. The report suggests that the Sandia team discovered and employed a number additional of vulnerabilities in Apple’s hardware and software, including a vulnerability in Apple’s secure element that enabled them to extract a secret key, and one that allowed modification of the OS X updater to install a keylogger. Finally, the report describes similar presentations on Microsoft’s BitLocker software and others.

The vulnerabilities involved in these exploits were almost certainly unknown to Apple itself, and the documents released by the Intercept do not indicate that the CIA or its contractors ever considered disclosing them to the company. Yet this is what the administration’s Vulnerabilities Equities Process requires—a balancing test that weighs the risk to average users of leaving unpatched vulnerabilities against the needs of the intelligence community.

EFF has sued under the Freedom of Information Act (FOIA) to uncover more about the Vulnerabilities Equities Process, which the White House characterized as a set principles that inform “a disciplined, rigorous and high-level decision-making process for vulnerability disclosure.” Naturally, the Office of the Director of National Intelligence and the NSA have been less than forthcoming in response to our FOIA suit, producing only a handful of highly-redacted documents to date. Given the scanty information we’ve received, and the freedom with which the Jamboree attendees seem to stockpile vulnerabilities, we have doubts that the Equities Process is really as “disciplined and rigorous” as the administration claims.

When asked for comment, an unnamed intelligence official told CNBC: “There’s a whole world of devices out there, and that’s what we’re going to do…It is what it is.”

  • 1. We have no idea if the organizers of the TCB Jamboree were aware of the coincidence, but as any good Elvis fan knows, the King’s personal motto was Taking Care of Business, or TCB for short.

Share this: Share on Facebook Share on Google+ Share on Diaspora || Join EFF

Guess Who Wasn’t Invited to the CIA’s Hacker Jamboree?

by News on March 10, 2015, no comments

TCB graphic

Apple, that’s who. Or Microsoft, or any of the other vendors whose products US government contractors have successfully exploited according to a recent report in the Intercept. While we’re not surprised that the Intelligence Community is actively attempting to develop new spycraft tools and capabilities—that’s their job—we expect them to follow the administration’s rules of engagement. Those rules require an evaluation under what’s known as the “Vulnerabilities Equities Process.” In the White House’s own words, the process should usually result in disclosing software vulnerabilities to vendors, because “in the majority of cases, responsibly disclosing a newly discovered vulnerability is clearly in the national interest.”

Nevertheless, the Intercept article describes an annual CIA conference known as the Trusted Computing Base (TCB) Jamboree1 at which members of the intelligence community present extensively on software vulnerabilities and exploits to be used in spying operations. At the 2012 TCB Jamboree, presenters from Sandia National Laboratories, which is a contractor for the Department of Energy, described an attack on Xcode, the Apple software used to compile applications in Mac OS X and iOS. The “whacked” Xcode exploit, called Strawhorse, enables intelligence agents to implant a version of Xcode on developers’ computers which, unbeknownst to the developers, would cause software they compile to include a backdoor or other compromise. If successful, the attack could enable a range of surveillance-friendly applications to be covertly made available to the public. The report suggests that the Sandia team discovered and employed a number additional of vulnerabilities in Apple’s hardware and software, including a vulnerability in Apple’s secure element that enabled them to extract a secret key, and one that allowed modification of the OS X updater to install a keylogger. Finally, the report describes similar presentations on Microsoft’s BitLocker software and others.

The vulnerabilities involved in these exploits were almost certainly unknown to Apple itself, and the documents released by the Intercept do not indicate that the CIA or its contractors ever considered disclosing them to the company. Yet this is what the administration’s Vulnerabilities Equities Process requires—a balancing test that weighs the risk to average users of leaving unpatched vulnerabilities against the needs of the intelligence community.

EFF has sued under the Freedom of Information Act (FOIA) to uncover more about the Vulnerabilities Equities Process, which the White House characterized as a set principles that inform “a disciplined, rigorous and high-level decision-making process for vulnerability disclosure.” Naturally, the Office of the Director of National Intelligence and the NSA have been less than forthcoming in response to our FOIA suit, producing only a handful of highly-redacted documents to date. Given the scanty information we’ve received, and the freedom with which the Jamboree attendees seem to stockpile vulnerabilities, we have doubts that the Equities Process is really as “disciplined and rigorous” as the administration claims.

When asked for comment, an unnamed intelligence official told CNBC: “There’s a whole world of devices out there, and that’s what we’re going to do…It is what it is.”

  • 1. We have no idea if the organizers of the TCB Jamboree were aware of the coincidence, but as any good Elvis fan knows, the King’s personal motto was Taking Care of Business, or TCB for short.

Share this: Share on Facebook Share on Google+ Share on Diaspora || Join EFF

You Have 48 Hours to Stop the Spies in Paraguay

by News on March 10, 2015, no comments

Share on Twitter

This Thursday, the Paraguayan Chamber of Deputies will vote on a data retention mandate—one of the worst freedom-killing bills we’ve seen so far in Paraguay. The bill, dubbed Pyrawebs, is a big deal: data retention mandates are a disproportionate measure that should be sorely rejected. It is now that time to mobilize your networks.

Here’s how you can participate:

Post about Pyrawebs and its numerous issues on your website or over social media

To join the action, we encourage you to write about the dangers of this bill. A blog post, a Facebook update, or even a tweet (using the hashtag #Pyrawebs) linking to TEDIC’s action alert could go a long way in helping stop Pyrawebs.

We have a number of blog posts up about the data retention mandate problems, including a general overview post; a thorough FAQ (ES); and a discussion of how it’s an unnecessary and disproportionate measure (ES). We encourage you to read up and educate your networks—through posts or tweets—about the Pyrawebs’ dangers.

Tweet at the Paraguayan Congress

If you are Paraguayan, contact your Paraguayan congressman and express your major concerns with Pyrawebs. Tweet at Congress, share the list, and spread the word about Pyrawebs’ issues.

Follow this site for more updates

As this week goes on, we’ll be posting more updates, actions, and analyses around Pyrawebs on our site. You should also visit the online campaign at pyrawebs.tedic.org and here. This bill is riddled with a number of flaws that threaten our right to privacy. Be sure to check back here often.

Related Issues:

Share this: Share on Google+ Share on Diaspora || Join EFF

You Can’t Block Apps on the Free and Open Brazilian Internet

by News on March 2, 2015, no comments

Share on Twitter

Brazil’s Marco Civil law contains vigorous language intended to protect free expression, and a stable, secure and neutral network in Brazil. But as we have noted before, such laws must be interpreted and enforced appropriately to be effective. A good Internet law can quickly turn bad if incorrectly or improperly applied.

Last week, a Brazilian municipal judge sought to wield one part of the Marco Civil—its section on mandatory data retention—in a way we think undermines the rest of the law. Judge Luiz de Moura Correia of the Brazilian state of Piauí ordered Brazilian Internet and mobile connectivity providers to block access to the WhatsApp mobile-messaging application within 24 hours. The judge told journalists the injunction was intended to “compel the company that owns the app to assist with investigations by the state police.”

Correia’s decision would have affected millions of innocent Brazilians who rely on WhatsApp as a messaging service. It would have served as a disturbing indication that in the pursuit of one aim of the Marco Civil, the courts can trample over the freedom of users to communicate online, and the freedom of the Net and the tools used to access it to remain uncensored.

Brazilian local courts have had a long history of issuing such broad and disruptive injunctions in their attempts to force Internet intermediaries to comply with state investigations or orders. Two examples have become especially well-known. In 2007, after YouTube failed to take down a clip of Brazilian supermodel Daniela Cicarelli, a São Paulo state court issued an order that led to the entire YouTube service being blocked by Brasil Telecom. In 2012, a Judge in Mato Grosso do Sul ordered a 24-hour suspension of Google and an arrest order for the head of Google Brasil after the company failed to remove videos critical of a mayoral candidate.

It was in this earlier atmosphere of random and disruptive court orders that the Marco Civil was born: an attempt to create a general and consistent set of principles under which the Brazilian Internet would be governed. The Marco Civil goes to great lengths to establish that Brazilian law should treat the Internet as a force for free expression, with the stability of the network and the protection of privacy as key “disciplines” of the new law.

Unfortunately, Judge Correia used the most freedom-unfriendly parts of the new law as the justification for his order. The Marco Civil includes a series of punishments that can be ordered against companies that do not comply with various regulations, including warnings, fines, service suspension and outright prohibition. Judge Correia’s order selected the most severe of these sanctions, and interpreted it as authorizing censorship orders to ISPs.

The injunction against WhatsApp was halted on Thursday by an appeals court, the Piauí Court of Justice, which determined that the injunction was unreasonable because of the disproportionate effect of a suspension of service would have thousands of Brazilians unconnected with the local investigation.

As Paulo Rená, director of IBIDEM, activist and former manager of the Marco Civil consultation process, told EFF:

The measure itself lacks explicit or implicit support within the principles granted by the law, which ensures the social purpose of the Internet, the citizenship in digital media, the preservation of stability, security and network functionality, and the collective interest.

Legal experts Ronaldo Lemos and Celina Beatriz, both of the Insituto de Tecnologia e Sociedad do Rio (ITS Rio), also questioned the propriety of ordering ISPs to shut down access to a service, telling Brazilian press that the blocking of the service was not a remedy authorized by the law.

Moreover, Brazil has ratified the International Covenant on Civil and Political Rights as well as the Inter-American convention on human rights, which both protect free expression, and it can only be limited in very narrow cases and when necessary and proportionate.

Judges and lawmakers around the world continue to reach for censorship and mandatory blocking to enforce local law on a global Internet. It’s a clumsy, disproportionate response that sacrifices the rights of millions and the promise of an uncensored Internet to exact the narrowest of concessions. Overturning the order sends the right signal about the Internet’s future; but the fact that such injunctions can still be made in the first place, and users faced with censorship of foreign apps and services, even in the home of the Marco Civil, shows how far we have to go.


Share this: Share on Google+ Share on Diaspora || Join EFF

Living Internet-Only

by The Walrus on March 1, 2015, no comments

The bills were piling up, and one of the biggest ones was from our local cable company.  Bundled cable TV, phone & internet seemed like a sweet deal at the time compared to the collective bills for all three separately, but we decided to make a change and give up cable TV.  It seemed like […]