NSA Is Spying on Scientists

A new document made public this week via Edward Snowden’s leak of NSA documents reveals a fascinating aim of signals intelligence program: The agency, it turns out, monitored international scientific developments in hopes of detecting “nefarious” genetic engineering projects more than a decade ago.

SIGINT is intelligence collected by monitoring electronic and communications signals. In 2013, documents leaked by NSA contractor Edward Snowden revealed the extent of the agency’s reliance on this kind of intelligence to provide insight into the capabilities and intentions of foreign entities, as well as domestic targets. In the years since, documents have continued to trickle out of the Snowden leak that shed additional light on those efforts. https://theintercept.com/snowden-sidtoday/3676149-finding-genetic-sequences-in-sigint/

— source gizmodo.com

US military admits failures to monitor over $1 billion worth of arms transfers

The US Army failed to keep tabs on more than $1 billion worth of arms and other military equipment in Iraq and Kuwait according to a now declassified Department of Defense (DoD) audit, obtained by Amnesty International following Freedom of Information requests.

The government audit, from September 2016, reveals that the DoD “did not have accurate, up-to-date records on the quantity and location”of a vast amount of equipment pouring into Kuwait and Iraq to provision the Iraqi Army.

“This audit provides a worrying insight into the US Army’s flawed – and potentially dangerous – system for controlling millions of dollars’ worth of arms transfers to a hugely volatile region,” said Patrick Wilcken, Amnesty International’s Arms Control and Human Rights Researcher.

“It makes for especially sobering reading given the long history of leakage of US arms to multiple armed groups committing atrocities in Iraq, including the armed group calling itself the Islamic State.”

The military transfers came under the Iraq Train and Equip Fund (ITEF), a linchpin of US-Iraqi security cooperation. In 2015, US Congress appropriated USD$1.6 billion for the programme to combat the advance of IS.

The transfers, which include tens of thousands of assault rifles (worth USD$28 million), hundreds of mortar rounds and hundreds of Humvee armoured vehicles, were destined for use by the central Iraqi Army, including the predominantly Shi’a Popular Mobilisation Units, as well as the Kurdish Peshmerga forces.

The DoD audit found several serious shortcomings in how ITEF equipment was logged and monitored from the point of delivery onward, including:

Fragmentary record-keeping in arms depots in Kuwait and Iraq. Information logged across multiple spreadsheets, databases and even on hand-written receipts.
Large quantities of equipment manually entered into multiple spreadsheets, increasing the risk of human error.
Incomplete records meaning those responsible for the equipment were unable to ascertain its location or status.

The audit also claimed that the DoD did not have responsibility for tracking ITEF transfers immediately after delivery to the Iraqi authorities, despite the fact that the department’s Golden Sentry programme is mandated to carry out post-delivery checks.

A previous DoD audit in 2015 pointed to even laxer stockpile monitoring procedures followed by the Iraqi armed forces. In some cases the Iraqi army was unaware of what was stored in its own warehouses, while other military equipment – which had never been opened or inventoried – was stored out in the open in shipping containers.

“The need for post-delivery checks is vital. Any fragilities along the transfer chain greatly increase the risks of weapons going astray in a region where armed groups have wrought havoc and caused immense human suffering,” said Patrick Wilcken.

Arms transfers fuelling atrocities

Amnesty International’s research has consistently documented lax controls and record-keeping within the Iraqi chain of command. This has resulted in arms manufactured in the USA and other countries winding up in the hands of armed groups known to be committing war crimes and other atrocities, such as IS, as well as paramilitary militias now incorporated into the Iraqi army.

In response to the audit, the US military has pledged to tighten up its systems for tracking and monitoring future transfers to Iraq.

However, the DoD made almost identical commitments in response to a report for Congress as long ago as 2007 that raised similar concerns.

“After all this time and all these warnings, the same problems keep re-occurring. This should be an urgent wake-up call for the US, and all countries supplying arms to Iraq, to urgently shore up checks and controls. Sending millions of dollars’ worth of arms into a black hole and hoping for the best is not a viable counter-terrorism strategy; it is just reckless,” said Patrick Wilcken.

“Any state selling arms to Iraq must show that there are strict measures in place to make sure the weapons will not be used to violate rights. Without these safeguards, no transfer should take place.”

Amnesty International is urging the USA to comply with the Leahy Law, which prohibits the supply of most types of US military aid and training to foreign security, military and police units credibly alleged to have committed “gross human rights violations”.

The USA and Iraq must also accede to the global Arms Trade Treaty, which has strict rules in place to stop arms transfers or diversion of arms that could fuel atrocities.

— source amnesty.org

When Apps Secretly Team Up to Steal Your Data

Imagine two employees at a large bank: an analyst who handles sensitive financial information and a courier who makes deliveries outside the company. As they go about their day, they look like they’re doing what they’re supposed to do. The analyst is analyzing; the delivery person is delivering. But they’re actually up to something nefarious. In the break room, the analyst quietly passes some of the secret financials to the courier, who whisks it away to a competing bank.

Now, imagine that the bank is your Android smartphone. The employees are apps, and the sensitive information is your precise GPS location.

Like the two employees, pairs of Android apps installed on the same smartphone have ways of colluding to extract information about the phone’s user, which can be difficult to detect. Security researchers don’t have much trouble figuring out if a single app is gathering sensitive data and secretly sending it off to a server somewhere. But when two apps team up, neither may show definitive signs of thievery alone. And because of an enormous number of possible app combinations, testing for app collusions is a herculean task.

A study released this week developed a new way to tackle this problem—and found more than 20,000 app pairings that leak data. Four researchers at Virginia Tech created a system that delves into the architecture of Android apps to understand how they exchange information with other apps on the same phone. Their system—DIALDroid—then couples apps to simulate how they’d interact, and whether they could potentially work together to leak sensitive information.

When the researchers set DIALDroid loose on the 100,206 most downloaded Android apps, they turned up nearly 23,500 app pairs that leak data. More than 16,700 of those pairs also involved privilege escalation, which means the second app received a type of sensitive information that it’s typically forbidden from accessing.

In one striking example, the study highlighted an app that provides prayer times for Muslims. It retrieves the user’s location and makes it available to other apps on the smartphone. More than 1,500 receiver apps, if installed on the same device, can get the location sent by the prayer-times app. Of those, 39 apps leak the location data to potentially dangerous destination.

Relatively small groups of unsecured apps were behind the enormous number of leaky connections. The 16,700 app pairs that exhibited privilege escalation all involved one of 33 sender apps. And the roughly 6,700 app pairs that leaked data without privilege escalation all involved one of 21 sender apps. Twenty sender apps appeared in both categories. The problematic apps came in various forms: from entertainment and sports to photography and transportation apps.

Collusive leaks aren’t always intentional—and it’s very difficult to tell when they are. But no matter the aim, leaks of sensitive information without a user’s permission carry potential for abuse.

Sometimes, only one app in a pairing may seem intentionally malicious. An app can take advantage of a security flaw in another app to steal data and extract it to a distant server, for example. Other times, both apps are poorly designed, creating an accidental data flow from one app to another, and then from the second to a log file.

The study found that smartphone location was more likely to be leaked than any other type of information. It’s easier to imagine how a user’s real-time location could be abused than, say, knowing what networks that person’s smartphone is connected to. But smaller details like network state can be used to “fingerprint” a device—that is, to identify it and keep track of what its user does over time.

When they analyzed the the final destination for leaked data, the Virginia Tech researchers found that nearly half of the receivers in leaky app pairs sent the sensitive data to a log file. Generally, logged information is only available to the app that created it—but some cyberattacks can extract data from log files, which means the leak could still be dangerous. Other more immediately dangerous app pairings send data away from the phone over the internet, or even over SMS. Sixteen sender apps and 32 receiver apps used permission escalation and extracted leaked data in one of those two ways.

— source theatlantic.com by Kaveh Waddell

Decoding the Doublespeak of FCC Chairman Pai

Michael Flynn, Kellyanne Conway, and Stephen Miller aren’t the only Donald Trump surrogates who’ve had a very bad couple of weeks.

Ajit Pai, the president’s pick to lead the Federal Communications Commission, was pilloried by The New York Times and Washington Post editorial boards last week after his agency released a rapid-fire series of rulings in a move that resembled Trump’s rush of executive orders. Chairman Pai’s directives, which he issued with zero public input, undermine the open internet and undercut the agency’s Lifeline program, which is designed to make the internet more affordable for families with low incomes.

Pai’s attack on Lifeline drew a swift response. A series of letters from dozens of Democrats on Capitol Hill asserted that Pai’s move to prevent nine internet service providers (ISPs) from serving Lifeline participants was “unfairly punishing” families in need.

Pai managed to draw criticism on the same Sunday from two of the nation’s most prominent and influential newspapers, even as members of Congress piled on. But the condemnation is justified: Pai has long served the interests of massive phone and cable companies, while shafting those ordinary Americans of whom Trump claims to be so fond.

“Many of Mr. Pai’s moves would hurt the people who have the least power,” wrote the Times’ editors. “Congress created the FCC to help all Americans obtain access to communication services without discrimination and at fair prices. Mr. Pai’s approach does exactly the opposite.”

The Post noted that Pai likes to talk the talk of bridging the digital divide—during his first speech as FCC chairman, he said it would be a top agency priority. But when the FCC released his anti-Lifeline action days later, “he opened another gap,” wrote the Post, “this time between his words and his actions.”

It’s the sort of head fake that’s familiar to those who’ve followed Pai’s career as a lead apologist for the phone companies he once worked for—and still serves.

This list of Pai’s miscues on key policy issues makes amply clear the many harmful directions the new FCC chairman will lead the agency through the Trump years.
Pai on the 2015 Net Neutrality Proceeding

“[The ruling is] President Obama’s plan to regulate the Internet. … Was this proceeding ‘one of the most open and transparent in Commission history’? Not in the least.”

While Pai has said he supports a free and open internet, he’s been one of the most vitriolic opponents of the rules that were put in place to keep it that way. Pai offered a lengthy dissent when an FCC majority passed the agency’s historic Open Internet Order in 2015. In subsequent statements, he claimed the ruling was part of an elaborate Obama conspiracy to “regulate the internet.”

In truth, the rules aren’t internet regulations but a set of regulations to govern broadband providers like AT&T, Comcast, and Verizon. And these companies no more constitute the Internet than a company like Georgia Pacific signifies the forest. The FCC’s decision reclassified broadband providers under an existing law that preserves the rights we’ve always had to defend ourselves against communications carriers bent on interfering with our speech.

Pai’s complaint about the FCC’s process is a smoking gun with no smoke and no gun. The agency made its legal decisions based on thousands of pages of public-record evidence, and took into account the nearly four million comments from Internet users, all to return to a foundation built on decades of solid law. All of those records are available to anyone with an Internet connection and the gumption to search the freely available archives at FCC.gov.
Pai on the Threat to an Open Internet

“[Net neutrality] regulation was a solution that wouldn’t work for a problem that didn’t exist.”

Pai isn’t alone in making this questionable claim. Calling net neutrality a “solution in search of a problem” is a favorite talking point of phone- and cable-company lobbyists and their many paid surrogates. The principle that protects the open internet is irrelevant, they claim, as blocking has never, ever happened. And if it did, the story goes, market forces would compel ISPs to correct course and reopen their networks.

In reality, many providers both in the United States and abroad have violated the principles of net neutrality—and they plan to continue doing so should Pai’s FCC refuse to enforce the open internet protections.

Whether it’s Comcast blocking access to peer-to-peer technologies (2005), or AT&T forcing Apple to block Skype and other competing VOIP phone services (2007–2009), or Verizon Wireless blocking people from using tethering applications on their phones (2012), or any other of the multiple instances in which ISPs have taken away Internet users’ right to choose, there can be no question that the problem exists.

And an argument a Verizon attorney made in 2013 before a panel of judges underscores the way ISPs view the internet. If it weren’t for the net neutrality protections, the attorney said, Verizon would be actively pursuing arrangements to prioritize certain types of internet traffic while downgrading other websites and services. Verizon even told the court that the company should have the power to edit the internet—suggesting that ISPs are like newspaper publishers, with the power to pick and choose what their broadband customers and others are allowed to say online.
Pai on the Impact the Net Neutrality Rules Have Had on Investment

“Growth in broadband investment has … flatlined.”

“We need to fire up the weed whacker and remove those rules that are holding back investment, innovation, and job creation … [net neutrality’s] days are numbered.”

Pai is a habitual repeater of faulty investment analysis. He’s always eager to draw self-serving but misleading conclusions from bad data.

In the year following the 2015 order, he often cited a single piece of analysis on broadband-provider capital expenditures as proof that the rules harmed investment. But that analysis was provided by an industry-paid operative with a long track record of cooking numbers to suit the policy agenda of large phone and cable companies. In this instance, his analysis selectively removed some capital spending, ignored more legitimate reasons for declines in some individual companies’ investments, and dismissed the large investment increases other companies had made.

Any economic analyst worth her salt will tell you that it’s a fatal flaw to build a conclusion on cherry-picked data. More honest analysis in this sphere considers what every broadband provider is doing, including what they’re saying to their shareholders and to the Securities and Exchange Commission. If Pai had followed this kind of rigorous analysis, he’d have noticed that no company told its shareholders that the 2015 order harmed investment. Indeed, many new fiber and 5G wireless deployments began after the 2015 order, and continued after the D.C. Circuit upheld the rules against a legal challenge from these same companies in 2016.

To be sure, aggregate investment may decline in some years, relative to pre-2015 levels. Investment projects come to completion eventually, and no cable or phone company builds a network one year only to build it all over again the next year. But this in no way proves that companies are curtailing investments because of net neutrality fears; they’ve made that explicit with their spending decisions and in their numerous public statements to investors and the media, which Chairman Pai has chosen to ignore.
Pai on the FCC Effort to Protect Broadband-User Data from Prying ISPs

“Instead of respecting … common sense … the FCC tilts the regulatory playing field by proposing to impose more burdensome regulation on internet service providers, or ISPs, than the FTC imposes on so-called ‘edge providers.’”

Pai dissented when the agency adopted common-sense safeguards for everyday Internet users. In this case, the FCC gave people more choice over whether and how broadband providers use their private information.

Under any sensible interpretation of the communications laws that govern the FCC, the companies that carry all of our speech online have no business profiting from the information they gather without our consent. But Pai chose to spin a reasonable response from the Wheeler FCC as a type of crony capitalism that favors companies like Facebook and Google at the expense of poor neglected ISPs like AT&T and Comcast. To be “fair,” according to Pai, you had to ignore the privacy rights Congress granted to people who might want some control over the way phone and cable companies package and resell their private information.

Internet users may be able to choose search engines, email providers and social-media services that reflect their privacy preferences, but there’s no effective competition among broadband ISPs, nor much room for entry by new carriers trying to reach privacy-conscious consumers. Access providers exploit their bottleneck position to collect nearly every detail about who we talk to, what we do and say online, and—thanks to location tracking—where we do it.

And most importantly, it’s not a question of whether Facebook and Google are threats to privacy. They are. But that’s no reason to ignore the laws that protect people’s privacy from ISPs, out of some misguided sense that the FCC has to abdicate its responsibilities to be “fair” to companies it has clear jurisdiction to regulate. Without the protections the FCC put in place under Pai’s predecessor, even the savviest consumers would be unable to fully protect their online privacy from prying eyes.
Pai on Offering Affordable Broadband to Those in Need

“If we are going to refocus Lifeline on broadband, our goal should be increasing broadband adoption—that is, helping Americans without internet access across the digital divide, not supporting those who have already made the leap.”

In his first speech as FCC chairman, Pai pledged to “bring the benefits of the digital age to all Americans.” But within days he was marching to another tune, hobbling one of the main programs the FCC had designed to fulfill that promise.

Lifeline exists to help low-income families, allowing them to connect and communicate without having to make difficult choices about how to allocate scarce resources. Those choices are exactly what Pai’s unlawful (and immoral) approach to universal service fails to recognize. Broadband adoption and affordability issues are not a simplistic on/off switch; they’re intrinsically tied to people’s overall income and spending choices.

In our 2017 report Digital Denied, Free Press explored the digital divide in depth. While Pai insists that many Internet non-adopters are capable of paying these costs out of their own pockets, our findings prove otherwise. Among home Internet non-adopters within the $35,000–59,999 income bracket, 22 percent cited “can’t afford it” as their reason for not adopting. Within that same income bracket, 25 percent said they’d be willing to subscribe if prices were lower.

The root cause of the adoption gap is the lack of affordability, and that’s primarily the result of a market with inadequate competition and too few affordable choices.

Pai’s solution, absent Lifeline benefits, is to give significant tax breaks to the handful of powerful ISPs that control the broadband-access marketplace. Sacrificing tax revenue to fund the construction of gigabit networks in below-average-income neighborhoods—despite the fact that most of these deployment projects are under way even without any such tax giveaways—does nothing to make these services more affordable to any of the 69 million people who still lack any form of home internet access.

And Pai’s proposal doesn’t even begin to address the difficult choices that far too many people are forced to make. Families in great need may choose to spend their limited dollars on housing, heat or food. Those who do sign up for broadband to look for jobs or let their kids do their homework may have to give up buying enough of those other essentials every month just to keep the internet connection on.

Helping all Americans get connected to an open and affordable internet involves more than delivering empty speeches. And handing out favors to a few powerful broadband incumbents certainly isn’t the answer. But so far, Pai has given us little reason to believe he’s interested in doing anything other than that. No FCC chair over the past 40 years has been so bent on undermining the agency’s public-service mission and destroying the safeguards on which hundreds of millions of Americans rely.

— source prospect.org by Timothy Karr

Amazon, Apple, Google, and Microsoft Battle for school market

The three major tech companies—along with Amazon, a relatively new player on the scene—go head-to-head in vying for big chunks of school business, most notably in sales of devices and operating systems, and they try to forge their own paths in others. School officials are increasingly demanding “personalization” and customization from tech tools, as opposed to one-size-fits-all products.

school officials today make buying decisions based on a combination of factors, including their perceptions that a product will help boost student achievement and increase student engagement. They also want products that are easy to use. District officials overwhelmingly emphasized the importance of ease-of-use in the survey results.

data-privacy of students’ personal information and profiles building practice are also big issues.

— source marketbrief.edweek.org