World champion of updog. duffell on Metafilter.
2020 stories
·
11 followers

the conservationist

1 Comment

20160825_pedegg

i thought of this after 3 hours of sleep. it has undergone 0 changes

Read the whole story
jad
2 days ago
reply
Caption for the win
Rockville, MD
Share this story
Delete

Private Investigator Gets $65,000 Contract from City to Hunt for Police Whistleblower

1 Share
by Ansel Herz

$65,000!
The contract is worth up to ten percent of the budget of the city's Ethics and Elections Commission. Ice.gov

The City of Seattle is paying up to $65,000, at a rate of $325 per hour, to a private investigator to track down a whistleblower who leaked a confidential document to The Stranger that exposed the city's negotiations with the police union to public scrutiny.

The investigator is Patty Eakes of the firm Calfo, Eakes and Ostrovsky, according to a copy of the contract obtained through a public records request. Her firm boasts of successfully defending accused white-collar criminal defendants, including State Auditor Troy Kelley, against corruption charges.

(The hourly rate is $85 more than what the city is paying a private company to assist it in kicking homeless people out from where they're sleeping.)

In an August 4 email, Mayor Ed Murray and City Council Member Tim Burgess asked Ethics and Elections Commission director Wayne Barnett to track down the whistleblower, alleging a violation of city's ethics code. Barnett thanked them, then promised a "thorough investigation" and to take "appropriate measures if we are able to identify the source."

Barnett has designated about 10 percent of his commission's total annual budget for the investigation.

The document we published, way back in June, was a summary of the city's offer to the Seattle Police Officers Guild (SPOG). The vast majority of Seattle police officers rejected the contract—which fell short in key ways of benchmarks set this month by the federal judge overseeing Department of Justice-mandated reforms.

The current contract imposes onerous limits on the ways the city can hold its rank and file cops accountable for misconduct; the new contract would have relaxed some of those limits, without wholly doing away with them. Samuel Sinyangwe, the New York-based co-founder of the Black Lives Matter group Campaign Zero, which analyzes police contracts, said the contract still contains "many provisions that undermine accountability and are simply not present in many cities' contracts."

Sinyangwe called contract offer "mediocre at best," from an accountability perspective.

It's not clear how Eakes will go about the investigation. City Attorney Pete Holmes suggested in a July statement that he and employees would submit to questioning in the inquiry under threat of perjury. Nor is there any proposed end date for the investigation. Eakes did not respond to a request for comment.

As we've reported before, there is "near-consensus" among the the Department of Justice, Office of Professional Accountability (OPA), OPA Review Board, OPA Auditor, and the Community Police Commission that labor negotiations with the police guild should not be kept secret to begin with.

[ Comment on this story ]

[ Subscribe to the comments on this story ]

Read the whole story
jad
2 days ago
reply
Rockville, MD
Share this story
Delete

The NSA Is Hoarding Vulnerabilities

1 Comment and 4 Shares

The National Security Agency is lying to us. We know that because of data stolen from an NSA server was dumped on the Internet. internet. The agency is hoarding information about security vulnerabilities in the products you use, because it wants to use it to hack others' computers. Those vulnerabilities aren't being reported, and aren't getting fixed, making your computers and networks unsafe.

On August 13, a group calling itself the Shadow Brokers released 300 megabytes of NSA cyberweapon code on the Internet. internet. Near as we experts can tell, the NSA network itself wasn't hacked; what probably happened was that a "staging server" for NSA cyberweapons -- ­ that is, a server the NSA was making use of to mask its surveillance activities -- ­ was hacked in 2013.

The NSA inadvertently resecured itself in what was coincidentally the early weeks of the Snowden document release. The people behind the link used casual hacker lingo, and made a weird, implausible proposal involving holding a bitcoin auction for the rest of the data: "!!! Attention government sponsors of cyber warfare and those who profit from it !!!! How much you pay for enemies cyber weapons?"

Still, most people believe the hack was the work of the Russian government and the data release some sort of political message. Perhaps it was a warning that if the US government exposes the Russians as being behind the hack of the Democratic National Committee -- ­ or other high-profile data breaches -- ­ the Russians will expose NSA exploits in turn.

But what I want to talk about is the data. The sophisticated cyberweapons in the data dump include vulnerabilities and "exploit code" that can be deployed against common Internet internet security systems. Products targeted include those made by Cisco, Fortinet, TOPSEC, Watchguard, and Juniper -- ­ systems that are used by both private and government organizations around the world. Some of these vulnerabilities have been independently discovered and fixed since 2013, and some had remained unknown until now.

All of them are examples of the NSA -- ­ despite what it and other representatives of the US government say -- ­ prioritizing its ability to conduct surveillance over our security. Here's one example. Security researcher Mustafa al-Bassam found an attack tool codenamed BENIGHCERTAIN that tricks certain Cisco firewalls into exposing some of their memory, including their authentication passwords. Those passwords can then be used to decrypt virtual private network, or VPN, traffic, completely bypassing the firewalls' security. Cisco hasn't sold these firewalls since 2009, but they're still in use today.

Vulnerabilities like that one could have, and should have, been fixed years ago. And they would have been, if the NSA had made good on its word to alert American companies and organizations when it had identified security holes.

Over the past few years, different parts of the US government have repeatedly assured us that the NSA does not hoard "zero days" ­ the term used by security experts for vulnerabilities unknown to software vendors. venders. After we learned from the Snowden documents that the NSA purchases zero-day vulnerabilities from cyberweapons arms manufacturers, the Obama administration announced, in early 2014, that the NSA must disclose flaws in common software so they can be patched (unless there is "a clear national security or law enforcement" use).

Later that year, National Security Council cybersecurity coordinator and special adviser to the president on cybersecurity issues Michael Daniel insisted that US doesn't stockpile zero-days zero days (except for the same narrow exemption). An official statement from the White House in 2014 said the same thing.

The Shadow Brokers data shows this is not true. The NSA hoards vulnerabilities.

Hoarding zero-day vulnerabilities is a bad idea. It means that we're all less secure. When Edward Snowden exposed many of the NSA's surveillance programs, there was considerable discussion about what the agency does with vulnerabilities in common software products that it finds. Inside the US government, the system of figuring out what to do with individual vulnerabilities is called the Vulnerabilities Equities Process (VEP). It's an inter-agency process, and it's complicated.

There is a fundamental tension between attack and defense. The NSA can keep the vulnerability secret and use it to attack other networks. In such a case, we are all at risk of someone else finding and using the same vulnerability. Alternatively, the NSA can disclose the vulnerability to the product vendor and see it gets fixed. In this case, we are all secure against whoever might be using the vulnerability, but the NSA can't use it to attack other systems.

There are probably some overly pedantic word games going on. Last year, the NSA said that it discloses 91 percent of the vulnerabilities it finds. Leaving aside the question of whether that remaining 9 percent represents 1, 10, or 1,000 vulnerabilities, there's the bigger question of what qualifies in the NSA's eyes as a "vulnerability."

Not all vulnerabilities can be turned into exploit code. The NSA loses no attack capabilities by disclosing the vulnerabilities it can't use, and doing so gets its numbers up; it's good PR. The vulnerabilities we care about are the ones in the Shadow Brokers data dump. We care about them because those are the ones whose existence leaves us all vulnerable.

Because everyone uses the same software, hardware, and networking protocols, there is no way to simultaneously secure our systems while attacking their systems ­ whoever "they" are. Either everyone is more secure, or everyone is more vulnerable.

If the NSA believes no one else will find a vulnerability it has identified, it may decline to make it public. It's an evaluation prone to both hubris and optimism.

Pretty much uniformly, security experts believe we ought to disclose and fix vulnerabilities. And the NSA continues to say things that appear to reflect that view, too. Recently, the NSA told everyone that it doesn't rely on zero days -- ­ very much, anyway.

Earlier this year at a security conference, Rob Joyce, the head of the NSA's Tailored Access Operations (TAO) organization -- ­ basically the country's chief hacker -- ­ gave a rare public talk, in which he said that credential stealing is a more fruitful method of attack than are zero days: "A lot of people think that nation states are running their operations on zero days, but it's not that common. For big corporate networks, persistence and focus will get you in without a zero day; there are so many more vectors that are easier, less risky, and more productive."

The distinction he's referring to is the one between exploiting a technical hole in software and waiting for a human being to, say, get sloppy with a password.

A phrase you often hear in any discussion of the Vulnerabilities Equities Process is NOBUS, which stands for "nobody but us." Basically, when the NSA finds a vulnerability, it tries to figure out if it is unique in its ability to find it, or whether someone else could find it, too. If it believes no one else will find the problem, it may decline to make it public. It's an evaluation prone to both hubris and optimism, and many security experts have cast doubt on the very notion that there is some unique American ability to conduct vulnerability research.

The vulnerabilities in the Shadow Brokers data dump are definitely not NOBUS-level. They are run-of-the-mill vulnerabilities that anyone -- ­ another government, cybercriminals, amateur hackers -- ­ could discover, as evidenced by the fact that many of them were discovered between 2013, when the data was stolen, and this summer, when it was published. They are vulnerabilities in common systems used by people and companies all over the world.

So what are all these vulnerabilities doing in a secret stash of NSA code that was stolen in 2013? Assuming the Russians were the ones who did the stealing, how many US companies did they hack with these vulnerabilities? This is what the Vulnerabilities Equities Process is designed to prevent, and it has clearly failed.

If there are any vulnerabilities that -- ­ according to the standards established by the White House and the NSA -- ­ should have been disclosed and fixed, it's these. That they have not been during the three-plus years that the NSA knew about and exploited them -- ­ despite Joyce's insistence that they're not very important -- ­ demonstrates that the Vulnerable Equities Process is badly broken.

We need to fix this. This is exactly the sort of thing a congressional investigation is for. This whole process needs a lot more transparency, oversight, and accountability. It needs guiding principles that prioritize security over surveillance. A good place to start are the recommendations by Ari Schwartz and Rob Knake in their report: these These include a clearly defined and more public process, more oversight by Congress and other independent bodies, and a strong bias toward fixing vulnerabilities instead of exploiting them.

And >And as long as I'm dreaming, we really need to separate our nation's intelligence-gathering mission from our computer security mission: we We should break up the NSA. The agency's mission should be limited to nation state espionage. Individual investigation should be part of the FBI, cyberwar cyber war capabilities should be within US Cyber Command, and critical infrastructure defense should be part of DHS's mission.

I doubt we're going to see any congressional investigations this year, but we're going to have to figure this out eventually. In my 2014 book Data and Goliath, I write that "no matter what cybercriminals do, no matter what other countries do, we in the US need to err on the side of security by fixing almost all the vulnerabilities we find..." find. ..." Our nation's cybersecurity is just too important to let the NSA sacrifice it in order to gain a fleeting advantage over a foreign adversary. adversary

This essay previously appeared on Vox.com.

Read the whole story
jad
2 days ago
reply
Rockville, MD
Share this story
Delete
1 public comment
josephwebster
2 days ago
reply
Filthy. Scum. Liars.
Denver, CO, USA

By maxsparber in "Some of these methods have proven invaluable. Others less so." on MeFi

1 Share
I do appreciate that many news sites have turned over the comments to their stories on Facebook to a collection of Russian spammers, pathological Islamophobes, activist MRA types, surprising antisemites (still around? What a great surprise!), and other types who apparently have found the sorts of jobs that allow you to spend the entire day turning the world in a cesspool.

I'm a newspaperman myself and just don't understand it. I mean, I get it, but I don't get it. I know they think it's engagement, and that all that stuff is in the hands of the digital marketing team, and so has nothing to do with editorial. But when I see comments under my byline that are like:

--Hey here's a marvelous new racist phrase
--This comment is written entirely in catch phrases from Ayn Rand
--In English but with Slavic Sentence Structure is written this support for the Donald Trump
--A macro I don't understand but seems to suggest certain minorities deserve what they get

I feel like, hey, now my story is a mechanism for building a nationwide hate movement! How nice that my publication has washed its hands of this!

Seriously, people complain about 4chan? Forget 4chan. Every media organization that has a Facebook page is now 4chan.
Read the whole story
jad
4 days ago
reply
Rockville, MD
Share this story
Delete

By corb in "Peace and Quiet and Open Air / Wait for Us / Somewhere" on MeFi

1 Share
They see themselves increasingly left out of American culture and see double standards employed to keep it that way. They don't understand how to speak anymore in a way that won't have them called out for racism, sexism, or other sorts of bigotry, while at the same time they see people within different minority groups able to say things they can't without being taken to task for it.

These guys, I think, have a feeling they are becoming irrelevant, being left behind as they don't know how to adapt to the changes going on. The thing is, they're right in that, they are being left behind as the culture is no longer a white man's sanctuary.


This pretty accurately describes the Trump voters I encountered when visiting family. Though I'd argue it's not that the culture isn't a white sanctuary anymore, but more that the culture is no longer "white plus assimilated white". Because I see a lot of this stuff coming not just from actual white guys, but also from guys who were assimilating and joining the table - light-skinned Hispanic men who adapted to the culture, especially. People who had to learn a foreign culture, learned it very well, and now after they assimilated, are being asked by people who aren't at the power table to adapt, because the power table is going away entirely.

People like my dad exist in pockets where most of the people they see and talk to are the same as themselves. They watch shows from at most recent, the nineties, and they don't understand or even know why or how the world has changed - why all of a sudden, every part of their speech is replete with things that are terrible.

They see people being fired or castigated for saying things that they can imagine themselves saying, things they don't understand why are wrong - things that seem "clumsy" but not verboten. And it makes them empathize with those people and worry that any day, they're going to be on the hot seat. And the thing is, they're not wrong. Because in places where the culture has rapidly shifted, it's hard to even imagine how much other places haven't.

Like, an actual (hopefully noncontroversial) case in point - my dad told me, in casual conversation, that he recommended a science fiction series to a coworker. To him, no big deal. But that science fiction series is one with horrific representation and horrific portrayals of women. Like, to me, with the culture I'm entrenched in, recommending that series is essentially like recommending some terrible niche porn to a coworker and 100% Not To Be Done At Work. And he just dropped that conversational turd there and I wanted to say something. But then I was hit with the enormous undertaking that lay before me if I wanted him to stop it. I would have had had to explain -

1) Even if you enjoy seeing women treated that way, this is no longer considered culturally okay to read and like and talk about.
2) Even if it were not terrible, you don't talk about sex at work in the same way anymore
3) You can get fired for sexual harassment, even if you're not actually trying to have sex with someone, for shit like that
4) NO JOHN RINGO NO

And then if I had explained all those, without explaining the things behind all of them, all my dad would take from it was "It's not okay to talk about the books you like at work in this CRAZY PC CULTURE of the LIBERALS."

It's not just as simple as "don't say that word", which I think people can actually get behind pretty easily. You actually have to understand context, and I think that's a lot, lot harder if you're not being exposed to it. It's still hard and frustrating for some people who are exposed to it, but at least it's possible. For guys like my dad, this stuff is dropping out of the clear blue sky and striking at complete random.

And I asked him - why are you voting for Trump? He says crazy things! And he said essentially that it's nice to see someone just saying what he thinks and not being afraid to say it, even if it's wrong or terrible.

And then I drank myself to death. And now I'm just a ghost posting on Metafilter.
Read the whole story
jad
4 days ago
reply
Rockville, MD
Share this story
Delete

By cashman in "Peace and Quiet and Open Air / Wait for Us / Somewhere" on MeFi

1 Comment and 3 Shares
Skorgu had a great answer in the last thread, about conversations with people who fight facts. "Just remember the magic words: "What would convince you of X?"

"It's respectful and polite, it's easy to remember, it puts the focus on the person you're talking to instead of the side they're supporting, and best of all it only has three possible outcomes:

1. An actual answer. This never happens but if it somehow does it means you're talking about something concrete that the other person came up with. Either it's something reasonable that you can demonstrate (and enjoy the acrobatics as they're now arguing with themselves) or something that can't be demonstrated (in which case you can talk about why their burden of proof is so high).

2. "Nothing will convince me." Well, ok. Why are we talking about this then? If you've already made up your mind let's not waste everyone's time.

3. Literally Any Other Response. Resist the urge to gloat because your opponent has given you a big stick with which to beat them. Either they give something like an answer in which case GOTO 10, they demonstrate that they're not arguing in good faith by refusing to meet your extremely reasonable request in which case you have a polite way out of the conversation or they just ghost on you in which case you got the last word.

As an aside, it's instructive to turn this on your own beliefs."
Read the whole story
skorgu
5 days ago
reply
EGO SHARE
jad
4 days ago
reply
Rockville, MD
Share this story
Delete
Next Page of Stories