Congress’ Imperfect Start to Addressing Vulnerabilities

With the global and debilitating WannaCry ransomware attack dominating the news in recent weeks, it’s increasingly necessary to have a serious policy debate about disclosure and patching of vulnerabilities in hardware and software.

Although WannaCry takes advantage of a complex and collective failure in protecting key computer systems, it’s relevant to ask what the government’s role should be when it learns about new vulnerabilities. At EFF, we’ve been pushing for more transparency around the decisions the government makes to retain vulnerabilities and exploit them for “offensive purposes.”

Now, some members of Congress are taking steps towards addressing these decisions with the the proposal of the Protecting Our Ability to Counter Hacking—or PATCH—Act (S.1157). The bill, introduced last week by Sens. Ron Johnson, Cory Gardner, and Brian Schatz and Reps. Blake Farenthold and Ted Lieu, is aimed at strengthening the government’s existing process for deciding whether to disclose previously unknown technological vulnerabilities it finds and uses, called the “Vulnerabilities Equities Process” (VEP).

The PATCH Act seeks to do that by establishing a board of government representatives from the intelligence community as well as more defensive-minded agencies like the Departments of Homeland Security and Commerce. The bill tasks the board with creating a new process to review and, in some cases, disclose vulnerabilities the government learns about.

The PATCH Act is a good first step in shedding some light on the VEP, but, as currently written, it has some shortcomings that would make it ineffective in stopping the kind of security failures that ultimately lead to events like the WannaCry ransomware attack. If lawmakers really want to deal with the dangers of the government holding on to vulnerabilities, the VEP must apply to classified vulnerabilities that have been leaked.

The VEP was established in 2010 by the Obama administration and was intended to require government agencies to collectively weigh the costs and benefits of disclosing these vulnerabilities to outside parties like software vendors instead of holding onto them to use for spying and law enforcement purposes.

Unfortunately, after EFF fought a long FOIA battle to obtain a copy of the written VEP policy document, we’ve learned that it went largely unused. In the meantime, agencies like the NSA and CSA suffered major thefts of their often incredibly powerful tools. In particular, the 2016 Shadow Brokers leak enabled outsiders to later develop the WannaCry ransomware using an NSA tool that the agency likened to “fishing with dynamite.” 

Lawmakers should be commended for trying to codify and expand the existing process to ensure that the government is adequately considering these risks, and the PATCH Act is a welcome first step.

But there are two areas in particular where it needs to go further.

First, as described above, the current bill seems to overlook situations where the government loses control of vulnerabilities that it has decided to retain. As we’ve seen with the Shadow Brokers leaks, this is a very real possibility, one which even kept the NSA up at night, according to the Washington Post. Yet the PATCH Act specifically states that a classified vulnerability will not be considered “publicly known” if it has been “inappropriately released to the public.” That means that a stolen NSA tool can be circulating widely among third parties without triggering any sort of mandatory reconsideration of disclosure to a vendor to issue a patch. While it might be argued that other provisions of the bill implicitly account for this scenario, we’d like to see it addressed explicitly.

In addition to overlooking situations like the WannaCry ransomware attack, the bill excludes cases where the government never actually acquires information about a vulnerability and instead contracts with a third-party for a “black box exploit.”

For example, in the San Bernardino case, the FBI reportedly paid a contractor a large sum of money to unlock an iPhone without ever learning details of how the exploit worked. Right now, the government apparently believes it can contract around the VEP in this way. This raises concerns about the government’s ability to adequately assess the risks of using these vulnerabilities, which is why a report written by former members of the National Security Council recommended prohibiting non-disclosure agreements with third-parties entirely. At the very least, we’d like to see the bill bring more transparency to the use of vulnerabilities even when the government itself doesn’t acquire knowledge of the vulnerability.

We hope to see the bill’s authors address these concerns as it moves forward to ensure that all of the vulnerabilities known to the government are reviewed and, where appropriate, disclosed.

Source link:


TPP Comes Back From the Dead… Or Does It?

Could the Trans-Pacific Partnership (TPP) be coming back from the dead? It is at least a possibility, following the release of a carefully-worded statement last Sunday from an APEC Ministerial meeting in Vietnam. The statement records the agreement of the eleven remaining partners of the TPP, aside from the United States which withdrew in January, to “launch a process to assess options to bring the comprehensive, high quality Agreement into force.” This assessment is to be completed by November this year, when a further APEC meeting in Vietnam is to be held.

We do know, however, that not all of the eleven countries are unified in their view about how the agreement could be brought into force. In particular, countries like Malaysia and Vietnam would like to see revisions to the treaty before they could accept a deal without the United States. This is hardly an unreasonable position, since it was the United States that pushed those countries to accept provisions such as an unreasonably long life plus 70 year copyright term, which is to no other country’s benefit.

Other TPP countries, such as Japan and New Zealand, are keen to bring the deal into force without any renegotiation, which could add years of further delay to the treaty’s completion. Japan also likely fears losing some of the controversial rules that it had pushed for, such as the ban on software source code audits. The country’s Trade Minister, Hiroshige Seko, has been quoted as saying, “No agreement other than TPP goes so far into digital trade, intellectual property and improving customs procedures.”

For now, that remains true; many of the TPP’s digital rules are indeed extreme and untested. But for how much longer? Industry lobbyists are pushing for the same digital trade rules to be included in Asia’s Regional Comprehensive Economic Partnership (RCEP) and in a renegotiated version of the North American Free Trade Agreement (NAFTA). Since RCEP and NAFTA together cover most of the same countries as the TPP, there will be little other rationale for the TPP to exist if lobbyists succeed in replicating its rules in those other deals. 

Free Trade Rules that Benefit Users

It’s worth stressing that EFF is not against free trade. If trade agreements could be used to serve users rather than to make their lives more difficult EFF could accept or even actively support certain trade rules. For example, last week the Re:Create Coalition, of which EFF is a member, issued a statement explaining how the inclusion of fair use in trade agreements would make them more balanced than they are now. The complete statement, issued by Re:Create’s Executive Director Joshua Lamel, says:

If NAFTA is renegotiated and if it includes a chapter on copyright, that chapter must have mandatory language on copyright limitations and exceptions, including fair use. The United States cannot export one-sided enforcement provisions of copyright law without their equally important partner under U.S. law: fair use.

The U.S. should also take further steps to open up and demystify its trade policy-making processes, not only to Congress but also to the public at large, by publishing text proposals and consolidated drafts throughout the negotiation of trade agreements.

The last paragraph of this statement is key: we can’t trust that trade agreements will reflect users’ interests unless users have a voice in their development. Whether the TPP comes back into force or not, the insistence of trade negotiators on a model of secretive, back-room policymaking will lead to the same flawed rules popping up in other agreements, to the benefit of large corporations and the detriment of ordinary users.

At this point we have no faith that the TPP would be reopened for negotiation in a way that is inclusive, transparent and balanced, and we maintain our outright opposition to the deal. RCEP is being negotiated in an equally closed process, though we are continuing to lobby negotiators about our concerns with that agreement’s IP and Electronic Commerce chapters. As for NAFTA, we are urging the USTR to heed our recommendations for reform of the office’s practices before negotiations commence.

The death of the TPP didn’t mark the end of EFF’s work on trade negotiations and digital rights, and its reanimation won’t change our course either. No matter where the future of digital trade rules lie, our approach remains the same: advocating for users’ rights, and fighting for the reform of closed and captured processes. Until our concerns are heard and addressed, trade negotiators can be assured that regulating users’ digital lives through trade agreements isn’t going to get any easier.

Source link:


I’m In Love With the Opera 46 Beta Wallpapers

The latest beta release of Opera, the web browser, makes a striking set of colourful custom wallpapers available to its users. Provided as extensions, the backgrounds are applied to the speed dial and other elements of the browser chrome with its new Opera ‘reborn’ UI. “To complement Opera’s new look and feel, we have partnered with top industry […]

This post, I’m In Love With the Opera 46 Beta Wallpapers, was written by Joey Sneddon and first appeared on OMG! Ubuntu!.

Source link:


Addressing Delays in and the EFF Action Center Message Delivery

EFF has identified and addressed the delivery problem, and we extend our deep apologies for the delays to digital activists who use our tools.

We recently became aware that there were significant delays in delivering some of the messages sent to Congress via two of EFF’s open-source messaging tools, and the EFF Action Center. While we have now addressed the problem, we wanted to be transparent with the community about what happened and the steps we’ve taken to fix it.

The EFF Action Center is a tool people can use to speak out in defense of digital liberty using text prompts from EFF, including letters to Congress that users can edit and customize. is a free tool that we built for the world based on the same technical backend as our Action Center. It lets users send messages to their members of Congress on any topic, with as few clicks as possible. The errors we experienced only impacted letters (not petitions, tweet campaigns, or call campaigns) for a number of Representatives and a handful of Senators. We sincerely apologize to everyone who was affected by this delay.

The issue sprang from the way in which our tools handled CAPTCHAs, a type of service that website owners use to verify that a given user is a human and not a bot. Our tools work by filling out contact forms on individual congressional websites on behalf of users. When our tool bumps into a CAPTCHA, it takes a snapshot, returns it to the user, and lets the user give the correct answer to finish filling out the form. Since all of our messages to Congress are submitted by real people, this worked fine for traditional CAPTCHAs. However, a percentage of Congress members had begun using a more complicated type of CAPTCHA known as reCAPTCHA, which was beyond the technical abilities of our system.

At the same time, we have made some fundamental changes to our error-logging system. As a result, the engineers who staff and maintain stopped receiving notifications of delivery errors, so we unfortunately missed the fact that a portion of messages were failing.

Some messages are undeliverable due to user data errors, legislators leaving office, or other irresolvable issues. However, we have now successfully re-sent nearly all the deliverable messages that had been delayed in our system. A very small percentage of messages are still pending, but we will be delivering them over the next few weeks.

In addition to delivering the delayed messages, we’ve made some key infrastructure changes to help prevent problems like this from arising in the future and to mitigate the impact of any issues that do arise. First, we integrated an experimental API delivery for the House of Representatives called Communicating with Congress. This implementation has resolved the reCAPTCHA problems we were facing in the House of Representatives. In addition, when someone tries to send a message to one of the few Senators whose forms we cannot complete, we’ll notify the user in real time and provide a link to the Senator’s website so the user can send a message directly. Finally, we’ve improved our error logging process so that if another significant delay happens in the future, we’ll know about it right away.

It’s unfortunate and frustrating that many members of Congress have placed digital hurdles on constituent communications. In a more perfect democracy, we think it would be easy for constituents to simply send an email to their members of Congress and be assured that the message was received and counted. Instead, each member of Congress adopts their own form, many of them requiring users to provide information like titles, exact street address, topic areas, etc. Users who want to email their Congress members may have to hunt down and complete forms on three different websites, and they may inadvertently end up on the wrong site.

We believe that the voices of technology users should echo loudly in the halls of Congress and that timely and personal communication from constituents is vital to holding our elected officials to account. That’s why we built these tools for both the EFF community and wider world. We’re committed to continuing to improve the process of communicating with Congress, both for EFF friends speaking out in defense of digital rights and for the general public. We hope one day Congress will make it easier for constituents to reach them. Until then, we’ll do our best to help tech users find a powerful voice. We are sorry that in this instance we fell short of our goal.

Source link:


Say Hello to the Slimbook Pro, a 13-inch Linux Laptop

slimbook pro laptopMeet the Slimbook Pro, the latest Linux laptop from hardware company Slimbook. It has an aluminium body, a HiDPI display and enough room for 2 hard drives.

This post, Say Hello to the Slimbook Pro, a 13-inch Linux Laptop, was written by Joey Sneddon and first appeared on OMG! Ubuntu!.

Source link:


Can I Control My Laptop’s Charging Cycles to Extend the Battery’s Life?

When it comes to taking care of the batteries in our laptops, it can be a bit of a trick at times, like how high and low we should allow the charge and discharge levels to be, for example. With that in mind, today’s SuperUser Q&A post has the answer to a concerned reader’s question.

Click Here to Continue Reading

Source link:

Intel Euclid: Ideal platform for Robotics and Ubuntu Linux powers it

Intel announced Euclid development kit for robotics. It is Ubuntu Linux 16.04 based system. One can run, monitor and manage their robotics apps with the web interface. The software works with any ROS-based (Robotics Operating System) robot such as Arduino to build sensing capabilities in your project. You can use sensors and cameras to control a robot.

Source link:


Court Orders Government To Provide More Information About Withheld Information in Laura Poitras’ FOIA Lawsuit

Laura Poitras—the Academy and Pulitzer Prize Award-winning documentary filmmaker and journalist behind CITIZENFOUR and Risk—wants to know why she was stopped and detained at the U.S. border every time she entered the country between July 2006 and June 2012. EFF is representing Poitras in a Freedom of Information Act (FOIA) lawsuit aimed at answering this question. Since we filed the complaint in July 2015, the government has turned over hundreds of pages of highly redacted records, but it has failed to provide us with the particular justification for each withholding—as it is required to do. In March, in a win for transparency, a federal judge called foul and ordered the government to explain with particularity its rationale for withholding each document.


Poitras travels frequently for her work on documentary films. Between July 2006 and June 2012, she was routinely subject to heightened security screenings at airports around the world and stopped and detained at the U.S. border every time she entered the country—despite the fact that she is a law-abiding U.S. citizen. She’s had her laptop, camera, mobile phone, and reporter notebooks seized, and their contents copied. She was also once threatened with handcuffs for taking notes. (The border agents said her pen could be used as a weapon.) No charges were ever brought against her, and she was never given any explanation for why she was continually subjected to such treatment.

In 2014, Poitras sent FOIA requests to multiple federal agencies for any and all records naming or relating to her, including case files, surveillance records, and counterterrorism documents. But the agencies either said they had no records or simply didn’t respond. The FBI, after not responding to Poitras’ request for a year, said in May 2015 that it had located a mere six pages of relevant material but that it was withholding all six because of grand jury secrecy rules.

With EFF’s help, Poitras ultimately filed a lawsuit against the Department of Homeland Security, the Department of Justice, and the Office of the Director of National Intelligence. In the months following the filing of the lawsuit, the government discovered and released over 1,000 pages of responsive records, some of which were on display as at the Whitney Museum in New York last year as part of Poitras’ Astro Noise exhibit. But most of these records are highly redacted, so while Poitras now has some information about why she stopped, the details remain unclear. And the government failed to provide clear rationale for why withholding the redacted information was justified.

Court to Government: “Try Again”

We argued in a motion for summary judgment filed last fall that the government had failed to meet its burden of justifying its continued withholding of information. In an order issued last month, the Honorable Ketanji Brown Jackson agreed with us. As the court explained, the government “describes in great detail the government’s general reasons for withholding entire categories of information, but does not connect these generalized justifications to the particular documents that are being withheld in this case in any discernable fashion.” She noted that instead of providing a complete list of “document-specific justifications,” the government provided a list with “only some of the records that the agency has withheld” and even then failed to “explain the reasons that the particular exemption is being asserted with respect to any document[.]”

The court didn’t grant our motion for summary judgment, but it did order the government to go back and try again—i.e., provide both us and the court with a list describing each document redacted or withheld, noting the FOIA exemption(s) that the government thinks apply to the document, and explaining the “particularized reasons that the government believes that the asserted exemption applies to the particular document at issue.”

It’s clear the judge isn’t planning to just rubber stamp the government’s assertions in this case. Forcing the government to justify its vast withholding of documents in this case is a win for transparency. We will post updates on the case as it proceeds and as we continue our fight to shed more light on the government’s unjust and potentially chilling treatment of a journalist.

Source link: