Slashdot Mirror

An anonymous reader writes: Apple and Google have been vocal in their opposition to any kind of government regulation of cell phone encryption. BlackBerry, however, is taking a different stance, saying it specifically supports "lawful interception capabilities" for government surveillance. BlackBerry COO Marty Beard as much at a recent IT summit. He declined to explain how the interception works, but he denied the phones would contain "backdoors" and said governments would have no direct access to BlackBerry servers. The company may see this as a way to differentiate themselves from the competition.

Patrick O'Neill writes: As Ukraine holds on to an increasingly delicate peace, the country remains divided by armed troops. There is, however, at least one thing that moves reliably through the cities and across dangerous borders: illegal drugs sourced from the Dark Net. While the rest of the country's economy has cratered, online criminal enterprises have survived and offered a living. PsyCo, short for Psychedelic Community, is a hyperlocal market that offers delivery in hours in cities like Kiev.

blottsie writes with news that the U.S. Senate voted 74-21 in favor of CISA, a controversial cybersecurity bill. All five amendments submitted in an attempt to bolster privacy failed to pass. From The Guardian's coverage: Try asking the bill’s sponsors how the bill will prevent cyberattacks or force companies and governments to improve their defenses. They can’t answer. They will use buzzwords like “info-sharing” yet will conveniently ignore the fact that companies and the government can already share information with each other as is. There were barely any actual cybersecurity experts who were for the bill. A large group of respected computer scientists and engineers were against it. So were cyberlaw professors. Civil liberties groups uniformly opposed (and were appalled by) the bill. So did consumer groups. So did the vast majority of giant tech companies. Yet it still sailed through the Senate, mostly because lawmakers - many of whom can barely operate their own email - know hardly anything about the technology that they’re crafting legislation about.

blottsie writes: Sen. Ron Wyden has led the fight against the Cybersecurity Information Sharing Act (CISA), which the Senate advanced on Thursday in a 84-14 vote. In a new interview with the Daily Dot, Wyden explains why privacy advocates call CISA a "surveillance bill," and discusses why an amendment from Sen. Whitehouse could make CISA more problematic for Internet users' civil liberties.

blottsie writes: Sen. Ron Wyden has led the fight against the Cybersecurity Information Sharing Act (CISA), which the Senate advanced on Thursday in a 84-14 vote. In a new interview with the Daily Dot, Wyden explains why privacy advocates call CISA a "surveillance bill," and discusses why an amendment from Sen. Whitehouse could make CISA more problematic for Internet users' civil liberties.

Researchers from BYU recently took a survey of internet users (PDF), mostly from the U.S., to determine how they balanced opinions of security and privacy. They found, perhaps surprisingly, that over 90% of users are fine with somebody snooping their encrypted traffic, so long as they were informed of the snooping. Most of them also supported legislation requiring notification and/or consent. "Most respondents also agreed that employers should be able to monitor the encrypted Internet connections of employees even without notification or consent, especially when an employee used a company computer. There was less agreement when it came to employees using personal devices; approximately a third of respondents opposed surveillance in that case."

That said, "Despite accepting surveillance in a number of situations, 60 percent of respondents said that they would react negatively if they discovered that a network they currently use employed TLS proxies." The study also found 4.5% of participants were "jaded" toward the state of privacy and security on the internet, feeling that their traffic is already monitored, and that the government would circumvent whatever technologies we put in place to protect it. The researchers say this group "once cared about these issues but has lost all hope and has largely given up on ever achieving a secure world."

Patrick O'Neill writes: Cars and streets are now connecting to the Internet for a long list of transportation and safety benefits but the new tech has drawbacks. Experts from government, industry, and academia say they have no confidence they'll develop a secure system that can protect users from tracking and privacy breaches. Their opinions were captured in a recent survey (PDF) from the Government Accountability Office. "The government is coordinating with the transportation industry on the Security Credential Management System (SCMS), a project to verify that basic road-safety messages come from authorized devices. ... At this point, it’s not clear who would even run such a system. Previous plans pointed toward car industry control, but the Transportation Department is now looking into playing 'a more active leadership role' for V2I as well as V2V (vehicle-to-vehicle) networks. That role would include setting security and privacy standards when V2I and V2V networks become operational."

Patrick O'Neill writes: At a time when privacy and encryption on mobile devices are the subject of political storm, last month's iOS 9 release means that Apple devices will finally get what Android has had for years: System-wide Tor anonymity. A handful of security experts recently set to work on projects to bring more powerful anonymity to iOS. “There are a bunch of pieces in the works,” Tor developer and Guardian Project leader Nathan Freitas told the Daily Dot. “We just started to work on it and think about it. Tor knows we can’t ignore all the iOS 9 users in the world.”

erier2003 writes: Sen. Bernie Sanders' opposition to the Cybersecurity Information Sharing Act in its current form aligns him with privacy advocates and makes him the only presidential candidate to stake out that position, just as cybersecurity issues loom large over the 2016 election, from email server security to the foreign-policy implications of data breaches. The Senate is preparing to vote on CISA, a bill to address gaps in America's cyberdefenses by letting corporations share threat data with the government. But privacy advocates and security experts oppose the bill because customers' personal information could make it into the shared data.

An anonymous reader writes with this Daily Dot story about an accidental leak of user info from Cryptome. Cryptome, the Internet's oldest document-exposure site, inadvertently leaked months worth of its own IP logs and other server information, potentially exposing details about its privacy-conscious users. The data, which specifically came from the Cartome sub-directory on Cryptome.org, according to Cryptome co-creator John Young, made their way into the wild when the site logs were included on a pair of USB sticks sent out to a supporter.

blottsie writes: What constitutes war in the 21st century? In an age of almost constant cyberattacks against major corporations and world governments, the consensus among international-law experts is clear: Nobody knows. This sweeping Daily Dot investigation explores the ongoing struggle to define "cyberwar," the increasing geopolitical aggression in cyberspace, and the major players now attempting to write the rules of online battlefields before it's too late.

"Technical experts and legal scholars repeatedly stress that the idea of a 'cyber Pearl Harbor'—a devastating sneak attack on U.S. infrastructure by a powerful state actor that launched a sustained international conflict—is wildly overblown. Right now, Watts said, 'states bite at one another’s ankles in a way to impede progress or to harass them,' but 'as for the likelihood of a major cyber war, I would rate it pretty low.'

Cyber armageddon may be extremely unlikely, but the many attacks below the level of formal armed conflict have still extracted a staggering price, in both economic and political terms. ... For starters, cyber-arms control is effectively hopeless. There’s no point, experts say, in trying to contain the spread of offensive cyber technology. Instead, the best hope for international law is to focus on reducing the incentives for malicious behavior."

Patrick O'Neill writes: The FBI and DEA were among the agencies fed information from an NSA surveillance program described as "staggering" by one judge who helped strike the program down. Now the two agencies are under review by the Justice Department for the use of parallel construction as well as looking into the specifics and results of cases originating from NSA tips. (Here's some more on the practice of parallel construction in this context.)

blottsie writes: The leaders of China and the United States agreed on Friday to take new steps to address cyberspying, vowing that neither country would conduct or knowingly support the theft of intellectual property. Senior law-enforcement and intelligence officials from both nations will evaluate how the two major powers respond to each other's requests for assistance fighting "malicious cyber activity," the White House said in a statement. The group will hold its first meeting before the end of the year, with subsequent meetings occurring twice per year.

Patrick O'Neill writes: Although Bitcoin was never designed to be anonymous, many of its users have used it as if it were. Now, two prominent Chinese researchers are proposing a system that encrypts all new Bitcoin transactions layer by layer to beat network analysis that can unmask Bitcoin users. The new research is inspired by the Tor anonymity network. The researchers' paper is at arXiv. (Also covered by The Stack.)

erier2003 writes: The Electronic Communications Privacy Act Amendments Act has a simple and vital purpose: making it harder for the government to get your email, instant messages, and Facebook chats. It amends a decades-old law to require government agencies to get a warrant to access the contents of any email or other electronic record—no matter how old those communications are. Sen. Mike Lee, one of the bill's cosponsors, told the Daily Dot why it matters. "The bill adds a warrant requirement for communications that were previously considered so old as to be irrelevant to their participants and unworthy of privacy protections. Right now, emails and other electronic messages older than 180 days are considered to have been “abandoned” by the people who sent and received them. Law-enforcement agencies don't need to get a warrant to force a company like Google or Facebook to turn over those communications." The act also requires the government to notify people whose records it has acquired, though they can delay that notice for 90 or 180 days if they feel sending it will put somebody at risk.

blottsie writes: In a new interview, Sen. Ron Wyden (D-Ore.) says the Cyber Information Sharing Act of 2015 (CISA) may put more Americans at risk because the U.S. government has failed to learn the right security lessons from the attack on the Office of Personnel Management. He says, in part: "I've been watching as this goes forward—there's this phrase going around the cybersecurity community, 'If you can't protect it, don't collect it.' Now, there is never going to be a system that's 100 percent safe. But what I'm going to start [saying] on the floor as we get to this [CISA debate], is, you give the government a huge new trove of personal information about Americans before you've addressed the problems that were documented all the way back to 2007—those security holes—before you address those, [before] you plug them, that's like responding to a bear attack by stockpiling honey. That's going to be how I open the debate."

AmiMoJo writes: The debate about comment sections on news sites is often as divisive as the comments themselves. Recently outlets such as The Verge and The Daily Dot have closed their comments sections because they've become too hard to manage. And they're far from alone. Moderating comments is a full-time job (or several full-time jobs) at many news organisations. Nicholas White, editor at The Daily Dot, noted that "in our experience, our community hasn't evolved in our comments. It's evolved in our social media accounts. To have comments, you have to be very active, and if you're not incredibly active, what ends up happening is a mob can shout down all the other people on your site. In an environment that isn't heavily curated it becomes about silencing voices and not about opening up voices."

Riese, co-founder and editor-in-chief of LGBT site Autostraddle, adds, "I completely understand why The Daily Dot wouldn't want to have comments — or in fact why most websites wouldn't want to have comments. I think 75% of the time they're more trouble than they're worth, and for us it's still a lot of work to keep up on. Not all of our users are necessarily on Facebook or are out as gay on Facebook, or are comfortable talking about queer stuff on Facebook. We keep comments on the site which is a safe space for people to exchange ideas — and that's a big factor for us."

Patrick O'Neill writes: New research into Industrial Ethernet Switches reveals a wide host of vulnerabilities that leave critical infrastructure facilities open to attackers. Many of the vulnerabilities reveal fundamental weaknesses: Widespread use of default passwords, hardcoded encryption keys, a lack of proper authentication for firmware updates, a lack of encrypted connections, and more. Combined with a lack of network monitoring, researchers say the situation showcases "a massive lack of security awareness in the industrial control systems community."

blottsie writes: For more than 20 years, the U.S. government has been waging a war on encryption, with the security and privacy of all Americans at stake. Despite repeated warnings from security experts, the FBI and other agencies continue to push tech companies to add "backdoors" to their encryption. The government's efforts, which have angered tech companies and researchers, are part of a long-running campaign to pry into every secure system—no matter what the consequences. This article takes readers from the first Crypto War of the early 1990s to the present-day political battle to keep everyone who uses the Internet safe.

Patrick O'Neill writes: In the days following a massive hack that confirmed Hacking Team's dealings with repressive regimes around the world, experts are wondering once again how to stop Western technology companies from equipping certain governments with weapons meant to attack journalists, human rights activists, and ordinary civilians. Regulation's backers say that "this is an industry that has failed to police itself," ACLU's Christopher Soghoian argued, but many including the EFF warn that overly broad legislation would harm more than help. In addition, wiredmikey points out that a number of exploits have been released in the wake of the hacking: Several exploits have been discovered, including ones for zero-day vulnerabilities, in the hundreds of gigabytes of data stolen by a hacker from the systems of surveillance software maker Hacking Team. Researchers at Trend Micro analyzed the leaked data and uncovered several exploits, including two zero-days for Adobe Flash Player. A readme document found alongside proof-of-concept (PoC) code for one of the Flash Player zero-days describes the vulnerability as "the most beautiful Flash bug for the last four years since CVE-2010-2161." In addition to the Flash Player exploits, researchers spotted an exploit for a Windows kernel vulnerability, a flaw that fortunately has already been patched. Adobe told SecurityWeek that it's aware of the reports and expects to release a patch on Wednesday.

Patrick O'Neill writes: It's not just DuckDuckGo — since the first Snowden articles were published in June 2013, the global public has increasingly adopted privacy tools that use technology like strong encryption to protect themselves from eavesdroppers as they surf the Web and use their phones. The Tor network has doubled in size, Tails has tripled in users, PGP has double the daily adoption rate, Off The Record messaging is more popular than ever before, and SecureDrop is used in some of the world's top newsrooms.

An anonymous reader writes: On Sunday, British newspaper The Sunday Times published an article citing anonymous UK government sources claiming that the cache of documents taken by Edward Snowden was successfully decrypted by the Russians and Chinese. Shortly thereafter, Glenn Greenwald at The Intercept published scathing criticism of the article. In Greenwald's article, he included a photograph of the newspaper's front page, where the story was featured. Yesterday, The Intercept received a DMCA takedown notice from News Corp alleging that the photograph infringed upon their copyright. The Intercept is refusing to comply with the takedown demand.

Patrick O'Neill writes: After suffering one of the biggest hacks in federal history at the Office of Personnel Management, the U.S. government is sprinting to require a wide range of cybersecurity improvements across agencies in order to better secure troves of sensitive government data against constant cyberattacks. The top priorities are basic but key: Encryption of sensitive data and two-factor authentication required for privileged users. Despite eight years of internal warnings, these measures were not implemented at OPM when hackers breached their systems beginning last year.

The calls for added security measures comes as high-level government officials, particularly FBI director James Comey and NSA director Adm. Mike Rogers, are pushing to require backdoors on encryption software that many experts, like UPenn professor Matt Blaze, say would fundamentally "weaken our infrastructure" because the backdoors would be open to hackers as well.

Patrick O'Neill writes: After suffering one of the biggest hacks in federal history at the Office of Personnel Management, the U.S. government is sprinting to require a wide range of cybersecurity improvements across agencies in order to better secure troves of sensitive government data against constant cyberattacks. The top priorities are basic but key: Encryption of sensitive data and two-factor authentication required for privileged users. Despite eight years of internal warnings, these measures were not implemented at OPM when hackers breached their systems beginning last year.

The calls for added security measures comes as high-level government officials, particularly FBI director James Comey and NSA director Adm. Mike Rogers, are pushing to require backdoors on encryption software that many experts, like UPenn professor Matt Blaze, say would fundamentally "weaken our infrastructure" because the backdoors would be open to hackers as well.

Patrick O'Neill writes: Behind a wall of anonymity, an American business is selling $1.5 million in medical marijuana products on the Dark Net this year, according to an analysis of publicly available market records. Occupying the top selling spot on the biggest black market around, Medibuds, as the business brands itself, is the biggest business on the Dark Net. The operation ships dozens of deals a day and has endured for three years, outlasting hundreds of markets and competitors.

Patrick O'Neill writes: After the fall of Silk Road, Amir Taaki built DarkMarket in an effort to offer a decentralized and "untouchable" market alternative. That's grown into OpenBazaar, a "censorship-resistant" protocol that just raised $1 million from venture capital firms Union Square Ventures and Andreessen Horowitz, as well as angel investor William Mougayar through the company OB1, which will now do core development on the software.

Patrick O'Neill writes: After the fall of Silk Road, Amir Taaki built DarkMarket in an effort to offer a decentralized and "untouchable" market alternative. That's grown into OpenBazaar, a "censorship-resistant" protocol that just raised $1 million from venture capital firms Union Square Ventures and Andreessen Horowitz, as well as angel investor William Mougayar through the company OB1, which will now do core development on the software.

Patrick O'Neill writes: Citing significant sales hits taken by big American firms like Apple, Intel, Microsoft, Cisco, Salesforce, Qualcomm, IBM, and Hewlett-Packard, a new report says losses by U.S. tech companies as a result of NSA spying and Snowden's whistleblowing "will likely far exceed" $35 billion. Previously, the Information Technology and Innovation Foundation put the estimate lower when it predicted the losses would be felt mostly in the cloud industry. The consequences are being felt more widely and deeply than previously thought, however, so the number keeps rising.

Patrick O'Neill writes: Over the last year, Apple CEO Tim Cook has repeatedly made headlines as a spearpoint in the new crypto wars. As FBI director James Comey pushes for legally mandated backdoors on encryption, Cook has added default strong encryption to Apple devices and vocally resisted Comey's campaign. Echoing warnings from technical experts across the world, Cook said that adding encryption backdoors for law enforcement would weaken the security of all devices and "is incredibly dangerous," he said last night at the Electronic Privacy Information Center awards dinner. "So let me be crystal clear: Weakening encryption or taking it away harms good people who are using it for the right reason."

Saturday, we mentioned that three major spying powers that the U.S. government has exercised under the Patriot Act might be nixed, as the sections of the Act granting authority to use them expires. The Daily Dot reports that Senator (and presidential contender) Rand Paul today used Senate rules to block a bill which would have extended those powers, which means that as of midnight Sunday on the U.S. east coast, sections 206, 207 and 215 of the Patriot Act will have expired. Says the Daily Dot's article, linked by reader blottsie: The reform bill, which the House passed before leaving town for a week-long recess, would end the government's bulk collection of Americans' phone records under the Patriot Act's controversial Section 215 but leaves the other two provisions intact. ... Sunday's procedural meltdown was the second narrow defeat for the USA Freedom Act. In a late-night session on Friday, May 22, the bill fell three votes short of an initial procedural step after [Senate Majority Leader] McConnell lobbied hard against it. The Senate's failure to meet its deadline was a blow to President Obama, who on Friday had warned lawmakers that the country would be vulnerable if the USA Freedom Act did not pass.

Patrick O'Neill writes: Ross Ulbricht has never been tried for murder. But tomorrow, when the convicted Silk Road creator is sentenced to prison, murder will be on the mind of the judge. Despite never filing murder-for-hire charges, New York federal prosecutors have repeatedly pushed for harsh sentencing because they say Ulbricht solicited multiple murders. The judge herself recently referred to Ulbricht's "commission of murders-for-hire" in a letter about the sentencing, painting an even grimmer picture of Ulbricht's sentencing prospects.

Patrick O'Neill writes: Tens of millions of daily subway riders around the world can be tracked through their smartphones by a new attack, according to research from China's Nanjing University. The new attack even works underground and doesn't utilize GPS or cell networks. Instead, the attacker steals data from a phone's accelerometer. Because each subway in the world has a unique movement fingerprint, the phone's motion sensor can give away a person's daily movements with up to 92% accuracy.

onproton writes: The Senate voted yesterday to reauthorize the controversial Trade Promotion Authority (TPA), which expedites, or 'Fast Tracks,' the passage of trade agreements through Congress. If also approved by the House, it will grant the authority to decide and negotiate the terms of agreements like the Trans-Pacific Partnership (TPP) to the executive branch, significantly limiting congressional involvement and leaving little room for debate. Proponents of the bill, namely the USTR, claim that Fast Tracking the TPP is critical to successfully negotiating its terms internationally, and will "ensure that Congress, stakeholders and the public are closely involved before, during and after the conclusion of trade agreement negotiations." Though in reality, it does not introduce significant changes in the transparency or reporting requirements that are currently in place, which have allowed the negotiations of this deal to be held in secret since 2009. With concerns being raised about the deal's impacts on everything from intellectual property rights to government sovereignty, it is surprising to many that Congress would abdicate their role in determining the specifics of agreements that may have far reaching implications for their constituents.

New submitter Steven King writes with a link to The Daily Dot's report that the U.S. Senate has rejected the controversial USA Freedom Act, thus "all but guaranteeing that key provisions of the USA Patriot Act will expire"; had it passed, the bill would have allowed continued use of some mass data-collection practices, but with the addition of stronger oversight. From the article: The Senate failed to reach agreement on passage of the USA Freedom Act, a bill to reauthorize and reform Section 215 of the USA Patriot Act, which the government has used to conduct bulk surveillance of Americans' phone records. The House of Representatives passed the bill last week by an overwhelming bipartisan majority, but Senate Democrats, who unified behind the bill, did not get enough Republican votes to assure passage. The linked piece also mentions that the EFF shifted its position on this bill, after a panel of Federal judges ruled that the Feds at the NSA had overstepped their bounds in collecting a seemingly unlimited trove of metadata relating to American citizen's phone calls.

An anonymous reader writes: In response to a slew of new research about network-level attacks against Tor, academics from the U.S. and Israel built a new Tor client called Astoria designed to beat adversaries like the NSA, GCHQ, or Chinese intelligence who can monitor a user's Tor traffic from entry to exit. Astoria differs most significantly from Tor's default client in how it selects the circuits that connect a user to the network and then to the outside Internet. The tool is an algorithm designed to more accurately predict attacks and then securely select relays that mitigate timing attack opportunities for top-tier adversaries.

An anonymous reader writes: While debate swirls in Washington D.C. about new encryption laws, the consequences of the last crypto war is still being felt. Logjam vulnerabilities making headlines today is "a direct result of weakening cryptography legislation in the 1990s," researcher J. Alex Halderman said. "Thanks to Moore's law and improvements in cryptanalysis, the ability to break that crypto is something really anyone can do with open-source software. The backdoor might have seemed like a good idea at the time. Maybe the arguments 20 years ago convinced people this was going to be safe. History has shown otherwise. This is the second time in two months we've seen 90s era crypto blow up and put the safety of everyone on the internet in jeopardy."

blottsie writes: While the nature of Kaspersky's relationship with the Kremlin remains, at the very least, a matter of contention, his company's influence is anything but hazy. On top of their successful antivirus business, Kaspersky Lab researchers have discovered key details about the now-infamous Stuxnet virus, which was deployed by the U.S. and Israel against Iran's nuclear facilities. Kaspersky analysts later uncovered Flame, which the Washington Post found was another American-Israeli cyberweapon against Iran. All of this is on top of building a highly successful antivirus business. In a new interview with the Daily Dot, Kaspersky elaborates on thoughts about his company, his wealth, and the state of modern cybersecurity.

An anonymous reader writes: Two years after the fall of Silk Road, new facts about the saga are still emerging all the time. The latest revelation is that Dread Pirate Roberts, the leader of Silk Road, paid a doctor $500 per week to offer public and private counseling to customers of the site. DoctorX, also known as Dr. Fernando Caudevilla, became famous for his free work on the site. The fact that he was eventually paid a salary is being used by lawyers for Ross Ulbricht to argue that Silk Road emphasized harm reduction and was, on the whole, a huge improvement in safety for drug users.

When the original Silk Road was shut down in 2013, it provided definitive evidence that federal law enforcement was targeting online black markets. Later, after the fall of Silk Road 2.0 and the Evolution Market's admins running off with their customers' money, you might have expected people to become more wary of dark net markets — but that doesn't seem to be the case. The number of products being bought and sold is up significantly since last year, and it's quadrupled since the original Silk Road fell. "The most enduring institution on the Dark Net is Agora. Founded in December 2014, amid the rubble of Silk Road's fall, Agora now accounts for 37 percent of all Dark Net product listings. It's a drug-heavy market with substantial supplies in marijuana, ecstasy, prescription drugs, and stimulants—and nearly any other drug you can imagine."

An anonymous reader writes: New research indicates that Anonymous hacktivists (among other groups) took advantage of lazy security to hijack thousands of routers using remote access and default login credentials. "'For perpetrators, this is like shooting fish in a barrel, which makes each of the scans that much more effective,' the report explains. 'Using this botnet also enables perpetrators to execute distributed scans, improving their chances against commonplace blacklisting, rate-limiting and reputation-based defense mechanisms.'"

New submitter Harold Dumbacher writes: Few things seen on Wikipedia aggravate its users more than the annual fundraising banners. Yet millions of people continue to contribute, seeming to think that Wikipedia will "go offline" if they aren't given more donations. Yet as a new Wikipediocracy blog post reveals, the Wikimedia Foundation is rolling in dough — $53 million in net assets as of this year (that's actual hard sitting-around currency, currently put into various investment vehicles). Meanwhile it only costs about $2.5 million to actually keep Wikimedia project servers online and handling user traffic. The rest of the WMF's annual donations go for "staff salaries, travel and miscellaneous." And evidently, many people are growing disgruntled with this ongoing state of affairs, even Wikimedia staff who benefit from it.

blottsie writes with a link to a story at The Daily Dot which begins: CIA Director John Brennan lied when he denied ordering agency employees to search Senate computers to trace a leak. Frustrated with his unwillingness to admit the obvious, three Senate Democrats on Friday called on Brennan to admit that his agency crossed the line. The Senate Intelligence Committee was preparing a report on the CIA's Bush-era torture programs when the spy agency discovered that the committee had somehow acquired an internal CIA report on the program. To determine how the report had leaked, Brennan ordered CIA officers to pry into the computers used by committee staffers. The heart of the story is in the letter in which the Senators call for Brennan to 'fess up, also linked from the story. Drawing from that letter: When you were asked publicly about the CIA's search in March 2014, you denied that any improper access had occurred, stating that "As fas the allegations of, you know, CIA hacking into, you know, Senate computers, nothing could be further from the truth. I mean, that's -- that's just beyond the -- you know, the scope of reason in terms of what we could do." The reports of both the Inspector General and your review board demonstrate that this denial was at odds with the facts.

In June 2014, senior officials from the FBI, NSA, and the Office of the Director of National Intelligence all testified that it would be inappropriate for their agencies to secretly search Senate files without external authorization. To date, however, there has been no public acknowledgement from you or any other CIA official (outside the Office of Inspector General) that this search was improper, nor even a commitment that the CIA will not conduct such searches in the future. This is entirely unacceptable.

Patrick O'Neill writes: "There has not been a tradeoff between liberty and security in our response to terrorism in this country and in our efforts to offer security to the people of the United States," said James Comey, now the director of the FBI. Comey was the number two man in the Department of Justice during the Bush years when NSA and law enforcement surveillance of Americans grew to unprecedented heights. Now he's pushing to stop encryption by default on Apple and Android devices.

qubezz writes: Security researcher Phar (Mike Davis/IOActive) gave his 30 days of disclosure notice to Cyberlock (apparently a company that makes electronic lock cylinders) that he would release a public advisory on vulnerabilities he found with the company's security devices. On day 29, their lawyers responded with a request to refrain, feigning ignorance of the previous notice, and invoking mention of the DMCA (this is not actually a DMCA takedown notice, as the law firm is attempting to suppress initial disclosure through legal wrangling). Mike's blog states: "The previous DMCA threats are from a company called Cyberlock, I had planned to do a fun little blog post (cause i ... hate blog posts) on the fun of how I obtained one, extracted the firmware bypassing the code protection and figured out its "encryption" and did various other fun things a lock shouldn't do for what its marketed as.. But before I could write that post I needed to let them know what issues we have deemed weaknesses in their gear.. the below axe grinderery is the results. (sic)" What should researchers do when companies make baseless legal threats to maintain their security-through-obscurity? Related: Bitcoin exchange company Coinbase has been accused of spying on a dark net researcher.

blottsie writes: At a hearing in Washington, D.C., on Wednesday, the FBI endured outright hostility as both technical experts and members of Congress from both parties roundly criticized the law enforcement agency's desire to place so-called back doors into encryption technology. "Creating a technological backdoor just for good guys is technologically stupid," said Rep. Ted Lieu (D-Calif.), a Stanford University computer science graduate. "That's just stupid. Our founders understood that an Orwellian overreaching government is one of the most dangerous things this world could have," Lieu said.

blottsie writes: At press time, the House had passed two cybersecurity bills, one Senate bill had been passed out of committee and reported to the full chamber for a final vote, and a third House bill and a second Senate bill were awaiting review by the appropriate committee. The two House bills that passed earlier this week will be combined and sent to the Senate, but the Senate won't take up them up directly; instead, it will vote on its own two bills. It's complicated, so here's a quick breakdown of the key details.

An anonymous reader writes: A widely-read report accusing Iran of hundreds of thousands of cyberattacks against the U.S. is being criticized as hugely inaccurate as well as motivated by marketing and politics, according to a new whitepaper and critics around the security industry. The original report, solicited by a conservative think tank and published by Norse in the lead up to the RSA Security Conference, hit the front page of the New York Times by calling handshakes and network scans "sophisticated cyberattacks."

Patrick O'Neill writes: After years of relative neglect, Tor has been able to dedicate increasing time and resources to its hidden services thanks to funding in part by DARPA, as well as an upcoming crowdfunding campaign. DARPA's funding lasts 1-3 years and covers several projects including security and usability upgrades that close the gap between hidden services and the everyday Internet. "Next-generation hidden services may be run from multiple hosts to better deal with denial of service attacks and high traffic in general, a potentially big power boost that further closes the gap between the Dark Net and normal websites. ... Hidden services, which make up about 4 percent of the entire Tor network, have until recently been relatively neglected when it comes to funding and developing."

An anonymous reader writes Sony has done a lot of aggressive anti-piracy work in their time, which makes it that much funnier that pirated ebooks were found on their servers from the 2014 hacks that just went on to WikiLeaks. Better yet, the pirated books are educational books about hacking called "Inside Cyber Warfare" and "Hacking the Next Generation" from O'Reilly publishers.

First time accepted submitter erier2003 writes The decision to give a major award to House Majority Leader Kevin McCarthy is curious given McCarthy's many questionable stances on Internet-freedom issues. For one thing, the California congressman is an avowed opponent of net neutrality. In May 2014, as the Federal Communications Commission debated new net neutrality rules, McCarthy—then the House Majority Whip, the chamber's third-highest-ranking member—signed a House GOP letter to the FCC warning that Title II regulation represented "a counterproductive effort to even further regulate the Internet."