DEAL: For $25 - Add A Second Phone Number To Your Smartphone for life! Use promo code SLASHDOT25. Also, Slashdot's Facebook page has a chat bot now. Message it for stories and more. Check out the new SourceForge HTML5 internet speed test! ×
Communications

Senate Votes To Kill FCC's Broadband Privacy Rules (pcworld.com) 403

The Senate voted 50-48 along party lines Thursday to repeal an Obama-era law that requires internet service providers to obtain permission before tracking what customers look at online and selling that information to other companies. PCWorld adds: The Senate's 50-48 vote Thursday on a resolution of disapproval would roll back Federal Communications Commission rules requiring broadband providers to receive opt-in customer permission to share sensitive personal information, including web-browsing history, geolocation, and financial details with third parties. The FCC approved the regulations just five months ago. Thursday's vote was largely along party lines, with Republicans voting to kill the FCC's privacy rules and Democrats voting to keep them. The Senate's resolution, which now heads to the House of Representatives for consideration, would allow broadband providers to collect and sell a "gold mine of data" about customers, said Senator Bill Nelson, a Florida Democrat. Kate Tummarello, writing for EFF: [This] would be a crushing loss for online privacy. ISPs act as gatekeepers to the Internet, giving them incredible access to records of what you do online. They shouldn't be able to profit off of the information about what you search for, read about, purchase, and more without your consent. We can still kill this in the House: call your lawmakers today and tell them to protect your privacy from your ISP.
Businesses

Patents Are A Big Part Of Why We Can't Own Nice Things (eff.org) 243

An anonymous reader shares an EFF article: Today, the Supreme Court heard arguments in a case that could allow companies to keep a dead hand of control over their products, even after you buy them. The case, Impression Products v. Lexmark International, is on appeal from the Court of Appeals for the Federal Circuit, who last year affirmed its own precedent allowing patent holders to restrict how consumers can use the products they buy. That decision, and the precedent it relied on, departs from long established legal rules that safeguard consumers and enable innovation. When you buy something physical -- a toaster, a book, or a printer, for example -- you expect to be free to use it as you see fit: to adapt it to suit your needs, fix it when it breaks, re-use it, lend it, sell it, or give it away when you're done with it. Your freedom to do those things is a necessary aspect of your ownership of those objects. If you can't do them, because the seller or manufacturer has imposed restrictions or limitations on your use of the product, then you don't really own them. Traditionally, the law safeguards these freedoms by discouraging sellers from imposing certain conditions or restrictions on the sale of goods and property, and limiting the circumstances in which those restrictions may be imposed by contract. But some companies are relentless in their quest to circumvent and undermine these protections. They want to control what end users of their products can do with the stuff they ostensibly own, by attaching restrictions and conditions on purchasers, locking down their products, and locking you (along with competitors and researchers) out. If they can do that through patent law, rather than ordinary contract, it would mean they could evade legal limits on contracts, and that any one using a product in violation of those restrictions (whether a consumer or competitor) could face harsh penalties for patent infringement.
Patents

Maryland Legislator Wants To Keep State University Patents Away From Trolls (eff.org) 52

The EFF's "Reclaim Invention" campaign provided the template for a patent troll-fighting bill recently introduced in the Maryland legislature to guide public universities. An anonymous reader writes: The bill would "void any agreement by the university to license or transfer a patent to a patent assertion entity (or patent troll)," according to the EFF, requiring universities to manage their patent portfolios in the public interest. James Love, the director of the nonprofit Knowledge Ecology International, argues this would prevent assigning patents to "organizations who are just suing people for infringement," which is especially important for publicly-funded colleges. "You don't want public sector patents to be used in a way that's a weapon against the public." Yarden Katz, a fellow at Harvard's Berkman Klein Center for Internet amd Society, says the Maryland legislation would "set an example for other states by adopting a framework for academic research that puts public interests front and center."
The EFF has created a web page where you can encourage your own legislators to pass similar bills, and to urge universities to pledge "not to knowingly license or sell the rights of inventions, research, or innovation...to patent assertion entities, or patent trolls."
The Courts

Hacking Victim Can't Sue Foreign Government For Hacking Him On US Soil, Says Court (vice.com) 102

According to Motherboard, a court of appeals in Washington D.C. ruled that an American citizen can't sue the Ethiopian government for hacking into his computer and monitoring him with spyware. "The decision on Tuesday is a blow to anti-surveillance and digital rights activists who were hoping to establish an important precedent in a widely documented case of illegitimate government-sponsored hacking." From the report: In late 2012, the Ethiopian government allegedly hacked the victim, an Ethiopian-born man who goes by the pseudonym Kidane for fear for government reprisals. Ethiopian government spies from the Information Network Security Agency (INSA) allegedly used software known as FinSpy to break into Kidane's computer, and secretly record his Skype conversations and steal his emails. FinSpy was made by the infamous FinFisher, a company that has sold malware to several governments around the world, according to researchers at Citizen Lab, a digital watchdog group at the University of Toronto's Munk School of Global Affairs, who studied the malware that infected Kidane's computer. The U.S. Court of Appeals for the District of Columbia Circuit ruled that Kidane didn't have jurisdiction to sue the Ethiopian government in the United States. Kidane and his lawyers invoked an exception to the Foreign Sovereign Immunities Act (FSIA), which says foreign governments can be sued in the U.S. as long as the entire tort on which the lawsuit is based occurred on American soil. According to the court, however, the hacking in this case didn't occur entirely in the U.S. "Ethiopia's placement of the FinSpy virus on Kidane's computer, although completed in the United States when Kidane opened the infected email attachment, began outside the United States," the decision read. "[It] gives foreign governments carte blanche to do whatever they want to Americans in America so long as they do it by remote control," Nate Cardozo, a staff attorney at the Electronic Frontier Foundation, a digital rights group who represented Kidane in this first-of-its-kind lawsuit, told Motherboard.
Privacy

Hey CIA, You Held On To Security Flaw Information -- But Now It's Out. That's Not How It Should Work (eff.org) 246

Cindy Cohn, writing for EFF: The dark side of this story is that the documents confirm that the CIA holds on to security vulnerabilities in software and devices -- including Android phones, iPhones, and Samsung televisions -- that millions of people around the world rely on. The agency appears to have failed to accurately assess the risk of not disclosing vulnerabilities to responsible vendors and failed to follow even the limited Vulnerabilities Equities Process. As these leaks show, we're all made less safe by the CIA's decision to keep -- rather than ensure the patching of -- vulnerabilities. Even spy agencies like the CIA have a responsibility to protect the security and privacy of Americans.
Crime

Local Police Departments Are Building Their Own DNA Databases (ap.org) 50

Slashdot reader schwit1 quotes the Associated Press: Dozens of police departments around the U.S. are amassing their own DNA databases to track criminals, a move critics say is a way around regulations governing state and national databases that restrict who can provide genetic samples and how long that information is held. The local agencies create the rules for their databases, in some cases allowing samples to be taken from children or from people never arrested for a crime. Police chiefs say having their own collections helps them solve cases faster because they can avoid the backlogs that plague state and federal repositories...

Frederick Harran, the public safety director in Bensalem Township, Pennsylvania...said he knows of about 60 departments using local databases... "The local databases have very, very little regulations and very few limits, and the law just hasn't caught up to them," said Jason Kreig, a law professor at the University of Arizona who has studied the issue.

One ACLU attorney cites a case where local police officers in California took DNA samples from children without even obtaining a court order first.
IBM

IBM Gets a Patent On 'Out-of-Office' Email Messages -- In 2017 (arstechnica.com) 65

The U.S. Patent and Trademark Office has issued IBM a -- what the Electronic Frontier Foundation calls -- "stupefyingly mundane" patent on e-mail technology. U.S. Patent No. 9,547,842, "Out-of-office electronic mail messaging system" was filed in 2010 and granted about six weeks ago. Ars Technica reports: The "invention" represented in the '842 patent is starkly at odds with the real history of technology, accessible in this case via a basic Google search. EFF lawyer Daniel Nazer, who wrote about the '842 patent in this month's "Stupid Patent of the Month" blog post, points to an article on a Microsoft publicity page that talks about quirky out-of-office e-mail culture dating back to the 1980s, when Microsoft marketed its Xenix e-mail system (the predecessor to today's Exchange.) IBM offers one feature that's even arguably not decades old: the ability to notify those writing to the out-of-office user some days before the set vacation dates begin. This feature, similar to "sending a postcard, not from a vacation, but to let someone know you will go on a vacation," is a "trivial change to existing systems," Nazer points out. Nazer goes on to identify some major mistakes made during the examination process. The examiner never considered whether the software claims were eligible after the Supreme Court's Alice v. CLS Bank decision, which came in 2014, and in Nazer's view, the office "did an abysmal job" of looking at the prior art. "[T]he examiner considered only patents and patent applications," notes Nazer. The office "never considered any of the many, many, existing real-world systems that pre-dated IBM's application."
Hardware Hacking

Open Source Car-Hacking Tool Successfully Crowdfunded (kickstarter.com) 54

An anonymous reader writes: Two geeks are crowdfunding an open source car hacking tool that will allow builders to experiment with diagnostics, telematics, security, and prototyping. "Cars have become complicated and expensive to work with," they explain on a Kickstarter page. "Macchina wants to use open source hardware to help break down these barriers and get people tinkering with their cars again." After years developing a beta prototype, they announced a tiny plug-and-play device/development platform (that can also be hardwired under the hood) on an Arduino Due board with a 32-bit ARM microcontroller. They almost immediately reached their $25,000 funding goal, and with 24 days left to go they've already raised $41,672, and they're now also selling t-shirts to benefit the EFF's "Right to Repair" activism.

Challenging "the closed, unpublished nature of modern-day car computers," their M2 device ships with protocols and libraries "to work with any car that isn't older than Google." With catchy slogans like "root your ride" and "the future is open," they're hoping to build a car-hacking developer community, and they're already touting the involvement of Craig Smith, the author of the Car Hacker's Handbook from No Starch Press.

"The one thing that all car hobbyists can agree on is that playing with cars isn't cheap," argues the campaign page. "Open source hardware is the answer!"
Cellphones

Should International Travelers Leave Their Phones At Home? (freecodecamp.com) 514

Long-time Slashdot reader Toe, The sums up what he learned from freeCodeCamp's Quincy Larson: "Before you travel internationally, wipe your phone or bring/rent/buy a clean one." Larson's article is titled "I'll never bring my phone on an international flight again. Neither should you." All the security in the world can't save you if someone has physical possession of your phone or laptop, and can intimidate you into giving up your password... Companies like Elcomsoft make 'forensic software' that can suck down all your photos, contacts -- even passwords for your email and social media accounts -- in a matter of minutes.... If we do nothing to resist, pretty soon everyone will have to unlock their phone and hand it over to a customs agent while they're getting their passport swiped... And with this single new procedure, all the hard work that Apple and Google have invested in encrypting the data on your phone -- and fighting for your privacy in court -- will be a completely moot point.
The article warns Americans that their constitutional protections don't apply because "the U.S. border isn't technically the U.S.," calling it "a sort of legal no-man's-land. You have very few rights there." Larson points out this also affects Canadians, but argues that "You can't hand over a device that you don't have."
Electronic Frontier Foundation

Three Privacy Groups Challenge The FBI's Malware-Obtained Evidence (eff.org) 118

In 2015 the FBI took over a Tor-accessible child pornography site to infect its users with malware so they could be identified and prosecuted. But now one suspect is challenging that evidence in court, with three different privacy groups filing briefs in his support. An anonymous reader writes. One EFF attorney argues it's a classic case of an unreasonable search, which is prohibited by the U.S. Constitution. "If the FBI tried to get a single warrant to search 8,000 houses, such a request would unquestionably be denied." But there's another problem, since the FBI infected users in 120 different countries. "According to Privacy International, the case also raises important questions: What if a foreign country had carried out a similar hacking operation that affected U.S. citizens?" writes Computerworld. "Would the U.S. welcome this...? The U.S. was overstepping its bounds by conducting an investigation outside its borders without the consent of affected countries, the group said."
The FBI's evidence is also being challenged by the ACLU of Massachusetts, and the EFF plans to file two more challenges in March, warning that otherwise "the precedent is likely to impact the digital privacy rights of all Internet users for years to come... Courts need to send a very clear message that vague search warrants that lack the required specifics about who and what is to be searched won't be upheld."
Security

Can The Mayhem AI Automate Bug-Patching? (technologyreview.com) 23

"Now when a machine is compromised it takes days or weeks for someone to notice and then days or weeks -- or never -- until a patch is put out," says Carnegie Mellon professor David Brumley. "Imagine a world where the first time a hacker exploits a vulnerability he can only exploit one machine and then it's patched." An anonymous reader quotes MIT Technology Review: Last summer the Pentagon staged a contest in Las Vegas in which high-powered computers spent 12 hours trying to hack one another in pursuit of a $2 million purse. Now Mayhem, the software that won, is beginning to put its hacking skills to work in the real world... Teams entered software that had to patch and protect a collection of server software, while also identifying and exploiting vulnerabilities in the programs under the stewardship of its competitors... ForAllSecure, cofounded by Carnegie Mellon professor David Brumley and two of his PhD students, has started adapting Mayhem to be able to automatically find and patch flaws in certain kinds of commercial software, including that of Internet devices such as routers.

Tests are underway with undisclosed partners, including an Internet device manufacturer, to see if Mayhem can help companies identify and fix vulnerabilities in their products more quickly and comprehensively. The focus is on addressing the challenge of companies needing to devote considerable resources to supporting years of past products with security updates... Last year, Brumley published results from feeding almost 2,000 router firmware images through some of the techniques that powered Mayhem. Over 40%, representing 89 different products, had at least one vulnerability. The software found 14 previously undiscovered vulnerabilities affecting 69 different software builds. ForAllSecure is also working with the Department of Defense on ideas for how to put Mayhem to real world use finding and fixing vulnerabilities.

Privacy

Secret Rules Make It Pretty Easy For the FBI To Spy On Journalists (theintercept.com) 189

schwit1 shares with us a report on a 11-part series led by The Intercept reporter Cora Currier: Secret FBI rules allow agents to obtain journalists' phone records with approval from two internal officials -- far less oversight than under normal judicial procedures. The classified rules dating from 2013, govern the FBI's use of national security letters, which allow the bureau to obtain information about journalists' calls without going to a judge or informing the news organization being targeted. They have previously been released only in heavily redacted form. Media advocates said the documents show that the FBI imposes few constraints on itself when it bypasses the requirement to go to court and obtain subpoenas or search warrants before accessing journalists' information. The rules stipulate that obtaining a journalist's records with a national security letter requires the signoff of the FBI's general counsel and the executive assistant director of the bureau's National Security Branch, in addition to the regular chain of approval. Generally speaking, there are a variety of FBI officials, including the agents in charge of field offices, who can sign off that an NSL is "relevant" to a national security investigation. There is an extra step under the rules if the NSL targets a journalist in order "to identify confidential news media sources." In that case, the general counsel and the executive assistant director must first consult with the assistant attorney general for the Justice Department's National Security Division. But if the NSL is trying to identify a leaker by targeting the records of the potential source, and not the journalist, the Justice Department doesn't need to be involved. The guidelines also specify that the extra oversight layers do not apply if the journalist is believed to be a spy or is part of a news organization "associated with a foreign intelligence service" or "otherwise acting on behalf of a foreign power." Unless, again, the purpose is to identify a leak, in which case the general counsel and executive assistant director must approve the request.
Government

The US Border Patrol Is Checking Detainees' Facebook Profiles (cnet.com) 502

An anonymous reader quotes CNET: Border patrol agents are checking the Facebook accounts of people who are being held in limbo for approval to enter the U.S., according to a Saturday tweet by immigration lawyer Mana Yegani that was spotted by The Independent... Yegani, who is a member of the American Immigration Lawyers Association, told CNET that checking phones has been reported by other lawyers as part of the vetting process. "[G]oing through passengers phones from the seven banned countries happens when the individual is interrogated (put under extreme vetting)," Yegani said.

Yegani told The Independent that she and other lawyers have been fielding calls from people who are already cleared to live in America, but are getting stuck at the border regardless. "These are people that are coming in legally. They have jobs here and they have vehicles here," Yegani said in the report.

The EFF warns that "Fourth Amendment protection is not as strong at the border as it is in your home or office. This means that law enforcement can inspect your computer or electronic equipment, even if they have no reason to suspect there is anything illegal on it. An international airport, even if many miles from the actual border, is considered the functional equivalent of a border."
AI

Who's Responsible For Accidents Caused By Open Source Self-Driving Car Software? (ieee.org) 114

Here's the problem. "You could download Comma.ai's new open-source Python code from Github, grab the necessary hardware, and follow the company's instructions to add semi-autonomous capabilities to specific Acura and Honda model cars (with more vehicles to follow)," writes IEEE Spectrum. But then who's legally responsible if there's an accident? Long-time Slashdot reader Registered Coward v2 writes: While many legal experts agree OSS is "buyer beware" and that Comma.ai and its CEO Georg Hotz would not be liable, it's a gray area in the law. The software is release under the MIT OSS license and the Read Me contains the disclaimer "This is alpha-quality software for research purposes only... You are responsible for complying with local laws and regulatons." The U.S. Supreme Court, in a series of court cases in the 1990s, ruled open source code as free speech protected under the First Amendment of the U.S. Constitution.

The question is does that release the author(s) from liability. The EU has no EU wide rules on liability in such cases. One open question is even if the person who used the software could not sue, a third party injured by it might be able to since they are not a party to the license agreement.

An EFF attorney told HotHardware "Prosecutors and plaintiffs often urge courts to disregard traditional First Amendment protections in the case of software." But not everyone agrees. "Most legal experts that spoke with IEEE Spectrum -- and Hotz himself -- believe that if you use the company's code and something goes wrong, then it isn't liable for damages. You are."
Electronic Frontier Foundation

Three States Propose DMCA-Countering 'Right To Repair' Laws (ifixit.org) 225

Automakers are using the Digital Millennium Copyright Act to shut down tools used by car mechanics -- but three states are trying to stop them. An anonymous reader quotes IFixIt.Org: in 2014, Ford sued Autel for making a tool that diagnoses car trouble and tells you what part fixes it. Autel decrypted a list of Ford car parts, which wound up in their diagnostic tool. Ford claimed that the parts list was protected under copyright (even though data isn't creative work) -- and cracking the encryption violated the DMCA. The case is still making its way through the courts. But this much is clear: Ford didn't like Autel's competing tool, and they don't mind wielding the DMCA to shut the company down...

Thankfully, voters are stepping up to protect American jobs. Just last week, at the behest of constituents, three states -- Nebraska, Minnesota, and New York -- introduced Right to Repair legislation (more states will follow). These 'Fair Repair' laws would require manufacturers to provide service information and sell repair parts to owners and independent repair shops.

Activist groups like the EFF and Repair.org want to "ensure that repair people aren't marked as criminals under the DMCA," according to the site, arguing that we're heading towards a future with many more gadgets to fix. "But we'll have to fix copyright law first."
Security

Top Security Researchers Ask The Guardian To Retract Its WhatsApp Backdoor Report (technosociology.org) 70

Earlier this month The Guardian reported what it called a "backdoor" in WhatsApp, a Facebook-owned instant messaging app. Some security researchers were quick to call out The Guardian for what they concluded was irresponsible journalism and misleading story. Now, a group of over three dozen security researchers including Matthew Green and Bruce Schneier (as well as some from companies such as Google, Mozilla, Cloudflare, and EFF) have signed a long editorial post, pointing out where The Guardian's report fell short, and also asking the publication to retract the story. From the story: The WhatsApp behavior described is not a backdoor, but a defensible user-interface trade-off. A debate on this trade-off is fine, but calling this a "loophole" or a "backdoor" is not productive or accurate. The threat is remote, quite limited in scope, applicability (requiring a server or phone number compromise) and stealthiness (users who have the setting enabled still see a warning; "even if after the fact). The fact that warnings exist means that such attacks would almost certainly be quickly detected by security-aware users. This limits this method. Telling people to switch away from WhatsApp is very concretely endangering people. Signal is not an option for many people. These concerns are concrete, and my alarm is from observing what's actually been happening since the publication of this story and years of experience in these areas. You never should have reported on such a crucial issue without interviewing a wide range of experts. The vaccine metaphor is apt: you effectively ran a "vaccines can kill you" story without interviewing doctors, and your defense seems to be, "but vaccines do kill people [through extremely rare side effects]."
Red Hat Software

Interviews: Ask Red Hat CEO Jim Whitehurst A Question (redhat.com) 167

Jim Whitehurst joined Red Hat in 2008, as its valuation rose past $10 billion and the company entered the S&P 500. He believes that leaders should engage people, and then provide context for self-organizing, and in 2015 even published The Open Organization: Igniting Passion and Performance (donating all proceeds to the Electronic Frontier Foundation). The book describes a post-bureaucratic world of community-centric companies led with transparency and collaboration, with chapters on igniting passion, building engagement, and choosing meritocracy over democracy.

Jim's argued that Red Hat exemplifies "digital disruption," and recently predicted a world of open source infrastructure running proprietary business software. Fortune has already called Red Hat "one of the geekiest firms in the business," and their open source cloud computing platform OpenStack now competes directly with Amazon Web Services. Red Hat also sponsors the Fedora Project and works with the One Laptop Per Child initiative.

So leave your best questions in the comments. (Ask as many questions as you'd like, but please, one per comment.) We'll pick out the very best questions, and then forward them on for answers from Red Hat CEO Jim Whitehurst.
Electronic Frontier Foundation

2016 Saw A Massive Increase In Encrypted Web Traffic (eff.org) 91

EFF's "Deeplinks" blog has published nearly two dozen "2016 in Review" posts over the last nine days, one of which applauds 2016 as "a great year for adoption of HTTPS encryption for secure connections to websites." An anonymous reader writes: In 2016 most pages viewed on the web were encrypted. And over 21 million web sites obtained security certificates -- often for the first time -- through Let's Encrypt. But "a sizeable part of the growth in HTTPS came from very large hosting providers that decided to make HTTPS a default for sites that they host, including OVH, Wordpress.com, Shopify, Tumblr, Squarespace, and many others," EFF writes. Other factors included the support of Transport Layer Security (TLS) 1.3 by Firefox, Chrome, and Opera.
Other "2016 in Review" posts from EFF include Protecting Net Neutrality and the Open Internet and DRM vs. Civil Liberties. Click through for a complete list of all EFF "2016 in Review" posts.
AT&T

US Court Demands Documents On AT&T/Police Collaboration (eff.org) 48

"The federal government has not justified its excessive secrecy about the massive telephone surveillance program known as Hemisphere, a court ruled in an EFF Freedom of Information Act lawsuit on Thursday." schwit1 quotes the EFF announcement: As a result, the federal government must submit roughly 260 pages of previously withheld or heavily redacted records to the court so that it can review them and decide whether to make more information about Hemisphere public. Hemisphere is a partnership between AT&T and federal, state, and local law enforcement agencies that allows police almost real-time access to telephone call detail records. The program is both extremely controversial -- AT&T requires police to hide its use from the public -- and appears to violate our First and Fourth Amendment rights.
Government lawyers had argued the disputed documents were restricted to use at the federal level, but the court remained unconvinced, especially "after EFF demonstrated that many of them appeared to have been given to state and local law enforcement."
Electronic Frontier Foundation

EFF Begins Investigating Surveillance Technology Rumors At Standing Rock (eff.org) 147

Electronic Frontier Foundation has dispatched a team of technologists and lawyers to a protest site in Standing Rock, North Dakota, to investigate "several reports of potentially unlawful surveillance." An anonymous reader writes: The EFF has "collected anecdotal evidence from water protectors about suspicious cell phone behavior, including uncharacteristically fast battery drainage, applications freezing, and phones crashing completely," according to a recent report. "Some water protectors also saw suspicious login attempts to their Google accounts from IP addresses originating from North Dakota's Information & Technology Department. On social media, many reported Facebook posts and messenger threads disappearing, as well as Facebook Live uploads failing to upload or, once uploaded, disappearing completely."

The EFF reports "it's been very difficult to pinpoint the true cause or causes," but they've targeted over 20 law enforcement agencies with public records requests, noting that "Of the 15 local and state agencies that have responded, 13 deny having any record at all of cell site simulator use, and two agencies -- Morton County and the North Dakota State Highway Patrol (the two agencies most visible on the ground) -- claim that they can't release records in the interest of "public safety"...

"Law enforcement agencies should not be allowed to sidestep public inquiry into the surveillance technologies they're using," EFF writes, "especially when citizens' constitutional rights are at stake... It is past time for the Department of Justice to investigate the scope of law enforcement's digital surveillance at Standing Rock and its consequences for civil liberties and freedoms in the digital world."

Slashdot Top Deals