The Internet’s Dad Emailed 97,931 People to Let Them Know Their Passwords Were Compromised
Every time there's a major corporate or government hack and email address/password combinations pour onto the black market, you have to wonder whether your credentials are among them. But most of us don't take any action to check. If only we had a digital dad watching our backs and trying to help us stay safe.
“Julian,” the blogger behind ATechDad, is experimenting with a way to do just that. Over three days, he collected (formerly personal) user data that had leaked in large-scale breaches and was posted to sites like PasteBin that host plain text uploaded anonymously. To do it, he made Canary, a tool that scrapes sites like PasteBin, meaning it automatically culls select data from Web pages and then sends a pre-written email alerting people that their credentials are exposed on the Internet.
As Julian notes in a blog post, similar scraping services already exist, but they have two problems. "1. Most users have no idea these services exist. 2. Many users are wary of sending the information they care most about to another online service." So Julian figured that the credentials could speak for themselves: If they're on PasteBin, the owner should probably get notified.
On May 19 he used Canary to send 97,931 emails warning people that their cybersecurity was at risk. Motherboard rightly points out that lots of people would probably ignore such an email because it might look like a phishing scam. But Julian reports that some people actually responded. He got nine thank yous.
The project might feel a little paternalistic and even invasive, but Julian really seems to be doing a dadlike good deed. Since he sent the first round of warnings, he's collected a total of 300,000 login credentials and is contemplating another email blast.
"I received no donations. This was not unexpected—but since the campaign didn’t cost me much, it’s also absolutely fine," he wrote. "Overall I consider this experiment a success. I hope that many people were helped and did not reply instead of ignoring or losing the email to spam filters." <3 dad
Website Owners Deserve the Right to Stay Anonymous
Anyone who’s ever purchased a domain name knows the drill: You’re required to provide a mailing address, email address, and phone number during the process. That information is made publicly available on Whois, the public database that stores contact information for all registrants. But not everybody wants their home address and phone number available for the entire world to query, and that’s why many people choose to pay a small annual fee, typically around $10, to keep their contact information safe from prying eyes.
But now, the Internet Corporation for Assigned Names and Numbers, or ICANN, is considering a proposal that would roll back anonymity for commercial website owners by making them ineligible for proxy registration services. If approved, this means that any small business owner with a website—possibly even bloggers simply running ads or accepting donations—would be prohibited from protecting their own contact information.
Lots of website owners, particularly those who hold unpopular political opinions, may wish to remain anonymous. David Kaye, the U.N. Special Rapporteur on freedom of opinion and expression, recently discussed international legal protections for anonymity and encryption at the U.N. Human Rights Council in Geneva. While the report he presented didn’t mention Whois, he rightfully pointed to the link between privacy and freedom of expression and noted that digital anonymity, along with encryption, is necessary to protect these fundamental human rights.
Other website owners, particularly those who are members of marginalized groups, may choose to protect their home address for safety reasons. Close to three-quarters of adult Internet users have witnessed online harassment, and 40 percent have experienced it personally, according to a 2014 survey by the Pew Research Center. The level of severity of this harassment varies, with swatting being among the most extreme. But even people who haven’t been personally targeted at all may choose to keep some information private as a preventive measure, as opposed to broadcasting their contact information to anyone who knows how to use the Whois look-up tool. (As a recent example, two Twitter users located Charleston church shooting suspect Dylann Roof’s website after doing a reverse WHOIS search for his name.)
Some site owners choose domain privacy for other reasons. Displaying one’s personal information can lead to identity theft, and having a personal email address posted in the Whois directory can lead to massive amounts of spam.
So what are the benefits? As the Electronic Frontier Foundation points out, supporters of the proposal include the Coalition for Online Accountability, a group of eight U.S. entertainment companies (including the Motion Picture Association of America, the Walt Disney Company, and Time Warner). Of course, the loss of anonymity would save money when pursuing legal action for trademark and copyright infringement, such as pirated content. It’s worth noting, however, that Whois data is already available with a subpoena or court order—so there is already a mechanism by which entertainment industry law firms (or anybody else) can reach website owners for purposes of litigation—and they do.
Another benefit? Perhaps people wishing to purchase dormant domains could contact the owners more easily. But this problem pales in comparison to individuals who may very well be putting themselves in harm’s way by making their contact information publicly available.
Proponents of these changes brush off the risk by pointing out that people who don’t want to blast out their home address could always use a work address or even a friend’s address. But someone who feels unsafe sharing a home address probably wouldn’t feel comfortable giving out a friend’s address. And someone who may be publishing content on their site that represents them and not their employer probably won’t want to share a work address with anyone who disagrees with their political viewpoint.
Another option that’s often thrown out is to get a post office box, but even this would publicize one’s city and state, and some website owners may not want to disclose even that, particularly if they’re living in a suburb or small town. Not to mention that getting a PO box is an inconvenience and an unnecessary expense.
Chinese Router Maker Implies That Wi-Fi Can Hurt Fetuses, Sparks Absurd Debate
Though there isn't strong evidence to support it, controversy about the supposed link between cellphone radiation and cancer is always percolating somewhere on the Internet. And this week the conversation broadened to include pregnancy and Wi-Fi. You know this can't end well.
The Chinese company Qihoo 360 unveiled a device, an upgrade to an existing product, that has three settings it describes on its website as wall penetration, balance, and "pregnant women." That last one may sound weirdly specific, but Zhou Hongyi, the president and CEO of Qihoo, said, according to South China Morning Post, “We are targeting people who are afraid of radiation.”
The company says that the pregnancy mode cuts radiation emissions by 70 percent, but Hongyi also told SCMP, “We aren’t scientists. We haven’t done many experiments to prove how much damage the radiation from Wi-Fi can cause.” That's true! “We leave the right of choice to our customers.” Oof.
Maybe no one would have dramatically called Qihoo out, except that the company is in a heated, longtime rivalry with competing router manufacturer Xiaomi. In a post on the company's official Weibo page, Xiaomi wrote, “We firmly oppose and feel ashamed of those who create rumors and arouse instability for business purposes. ... The so-called pregnancy mode is just a marketing tactic. Wi-fi usage is safe, so please rest assured when using it."
BBC News points out that the United States has its share of those who argue that radiation from wireless systems can cause harm to pregnant women and their fetuses—like the BabySafe Project. But the World Health Organization writes on its website, "The overall weight of evidence shows that exposure to fields at typical environmental levels does not increase the risk of any adverse outcome such as spontaneous abortions, malformations, low birth weight, and congenital diseases." WHO goes on to say that it recently conducted a thorough review of available research on mild exposure to electromagnetic fields and did not find evidence of health risks.
If nothing else, the situation produced some hilariously creepy exchanges. In response to Xiaomi's comments, Hongyi said, “We will wait and see who has a more profound understanding of Wi-Fi routers, me or our competitors.” Seriously, don't cross that dude.
The Navy Is Paying $9 Million to Keep Using Windows XP
The transition away from Windows XP was so traumatic that I think we would all just like to put it behind us and move on. If we're being honest with ourselves, though, we know that that's not going to happen.
The U.S. Navy's Space and Naval Warfare Systems Command is spending $9.1 million to extend a contract from April that requires Microsoft to continue offering support for XP, Office 2003, and the email system Exhange 2003. SPAWAR reported in April that it still had about 100,000 computers running XP.
The announcement about the extension outlines some staggering numbers, and a pretty leisurely timeframe:
This contract includes options which, if exercised, would bring the cumulative value of this contract to an estimated $30,842,980. Work will be performed globally and is expected to be completed by July 12, 2016. If all options are exercised, work could continue until June 8, 2017.
Not that the Navy doesn't have important things to do, but keep in mind that Microsoft gave years of warning before discontinuing general support for XP.
The Navy has had a plan to migrate away from XP since last year. But just this week, space and naval warfare systems command spokesperson Steven Davis told ZDNet, "Nearly all the networks and workstations afloat and ashore will benefit from the Microsoft Premier Support services and Microsoft Custom Support services for Windows XP, Office 2003, Exchange 2003 and Server 2003." Sounds like there hasn't been a ton of progress.
The Navy isn't the only defense division struggling to upgrade, though. As Ars Technica points out, the Army announced in April that it would require a similar contract with Microsoft to support about 8,000 devices using XP.
As of Thursday, NetMarketShare.com was still listing XP as the second most adopted Windows version after Windows 7. Windows 8.1 is finally in striking distance to overtake XP, but really the whole situation is just pitiful at this point.
Researchers Sharing Data Was Supposed to Change Science Forever. Did It?
In 2002, an article in the Washington Monthly explored a new trend called "open-source biology." It asked, "Can a band of biologists who share data freely out-innovate corporate researchers?" The basic idea: Instead of squirreling away their research so no one else could use it, scientists would pool their findings.
More than a decade later, open-source doesn't need to be in quotation marks, and the potential benefits of making scientific data freely available seem obvious. Plus, your tax dollars pay for a lot of it! But this week, researchers at the Defense Advanced Research Projects Agency's "Biology Is Technology" conference have a reality check to share: Open-source scientific data is grossly underutilized and kind of a mess.
Making scientific data open-source is a logical way to encourage interdisciplinary collaboration among researchers and democratize fields that are often stratified. It seems particularly exciting and promising when paired with big data—as computers have become powerful enough to process enormous data sets, the opportunity to make connections and draw conclusions seems irresistible.
And large data repositories have been the foundation of major biomedical discoveries and achievements. Joel Dudley, a biomedical informatics researcher at Mount Sinai, talked at the conference about a counterintuitive molecular similarity between skin disease and Alzheimer's that was discovered only because of large-scale data mapping. He also showed how broad access to patient medical histories and genotypes can reveal things like subpopulations within Type 2 diabetes patients in which each group is predisposed to have different types of conditions alongside diabetes.
The more data sets that are openly available, the more work like this can occur. But even something as potentially powerful as the open-source movement can be dead in the water if no one wants to engage with it. "Making data available to others is not sufficient to get people to work on it," said Stephen Friend, the president and co-founder of the nonprofit open-research organization Sage Bionetworks. Friend says that a big part of the problem is lack of incentives. Sure, building models to analyze and compare different datasets could produce meaningful results, but that takes time and other resources, and most of the work happens behind the scenes in obscurity. And scientists—well, they want a little glory.
One solution, which Sage is championing, is to create a sort of GitHub for biological data, called Synapse. GitHub is a Web-based code repository that offers project management and tracking tools for developers. Every time someone finalizes a change to code in GitHub, it's called a "commit," and when they push the change to the server, other people can see it in the project's history. The idea is that there's a log of which user was responsible for each change, however small, so everyone can see who is accountable for each decision. The flip side of commits is that when someone does something really smart, whether it's fixing a bug or adding new functionality to a program, everyone knows. Even if they're not responsible for the whole project, users can still publicly get credit for the good things they do.
Sage wants Synapse to work the same way. "The heart of it is an element of provenance," Friend said. The system tracks all different types of data organization and manipulation, and works to facilitate collaboration between disparate, even competing researchers by carefully recording who does what.
Another problem with open-source data is that it's often an unrecognizable hodgepodge of raw numbers from different experiments. "The hard thing is not actually to dump your data into the public domain," Peter Sorger, a systems biologist at Harvard, said at the DARPA event. "It’s to dump it in an intelligible way." Sorger estimates that to make data from a project usable, it takes about 20 percent of a researcher's total work. But "The incentive to do that? Zero," he said. "We have not created a system of incentives where the liberation of data is seen as critical."
If goodwill and curiosity aren't motivating researchers to work with open-source data on their own, there is still something that probably will: human limitation. "We have tiny little brains. We can’t understand the big stuff anymore," said Paul Cohen, a DARPA program manager in the Information and Innovation Office. "Machines will read the literature, machines will build complicated models, because frankly we can’t." When all you have to do is let your algorithms loose on a trove of publicly available data, there won't be any reason not to pull in everything that's out there.
Chevy Issues Press Release Written Entirely in Emojis, Tries Way Too Hard
If a picture is worth a thousand words, how valuable is an emoji? Perhaps this was a question on the minds of those who drafted a Chevy press release Monday—a message that was written entirely in emoji images. The press release caused quite a media buzz. Unfortunately, aside from the hashtag “#ChevyGoesEmoji” in English at the bottom of the page, it was also utterly incomprehensible.
Chevy released an official translation of the press release Tuesday afternoon, explaining that it was meant to announce the 2016 Chevy Cruze, an all-new model of its popular compact car that will be rolled out this week. It’s unclear how three images of a globe translate exactly to “Chevrolet is now one of the world’s largest car brands, doing business in more than 115 countries and selling 4.8 million trucks a year”—nor is it a particularly logical jump from a danger sign followed by a row of purses and briefcases to “Safety: 10 air bags.” But props to Chevy for trying its best to work around the limitations of the standard emoji keyboard, especially as long-awaited icons such as unicorns and cheese remain unavailable for widespread use.
In the day and a half between the press release and its translation, news outlets flew into a tizzy trying to analyze the marketing strategy behind the decision. Some praised Chevy for sneakily drawing free media attention, and others criticized the car company for being overly gimmicky. Both charges have a lot of truth to them. Though the company may have created the message in part to attract free press, Chevy—as one of America’s most traditional automobile makers—was also clearly trying to pander to a younger crowd. (In a somewhat similar stunt, Verizon issued a press release in Morse code in February after the FCC voted to reclassify broadband as a utility. But at least that made sense, sort of: Verizon was trying to make the case that the ruling would hurt innovation.)
Sheer awkwardness may have caused Chevy to miss its mark. Emoji-themed things can be trendy: Yelp’s emoji search function last year was a big hit, and the emoji translation of Moby-Dick received almost $4,000 in Kickstarter funds. An all-emoji message from a corporation established in 1911? Not so much. The incoherent press release caused many to cringe from secondhand embarrassment. Even Chevy’s English-translated message is somewhat awkward: The company boasts that the 2016 Cruze is “the best thing since sliced bread for stylish and socially connected people,” and it literally uses the words “fun,” “good-looking,” and “cool!” in the post—exclamation point and all.
More entertaining than Chevy’s fumbling attempt to appear “cool!”, however, was the public attempt to decipher the message before yesterday’s official translation came out. A Car and Driver piece titled “A Millennial Attempts to Translate Chevy’s All-Emoji Press Release,” written by Robert Sorokanich, made what were perhaps the most amusing stabs. For a row of icons that Chevy claims means “Seating: Seats 5,” Sorokanich surmised: “You have no idea who the last person was that sat in your airline seat. Bring hand sanitizer.” And for the mysterious three globes: “The 2016 Chevy Cruze weighs as much as three earths.”
The translation is almost more logical than Chevy’s and certainly funnier. See for yourself—here’s the company's original emoji press release below.
Report: 18 Million People May Be Affected by OPM Hack
Weeks after the news of the Office of Personnel Management hack originally broke, the agency still doesn’t have a firm grasp on the number of employees affected. However, the real number might be four times worse than originally estimated. CNN reports that during “a closed-door briefing to Senators in recent weeks,” FBI Director James Comey suggested that 18 million people’s information could be compromised, including social security numbers, based on the OPM’s internal investigation. That number includes current and former federal employees, plus applicants. James Trainor, acting assistant director for FBI, supported his colleague’s claim.
However, the OPM has not changed its original estimate of 4.2 million and Tuesday the agency supplied senators with few answers to their many questions. “Generally, we don't yet know the magnitude of the breach, or the consequences, or number of federal employees, or personal information—the scope of the damage done,” Kansas Republican Sen. Jerry Moran said, according to the National Journal. But maybe that’s because there aren’t any great answers to give: The Wall Street Journal reports:
Estimates have been all over the place. Some people familiar with the investigation said that the breach could have compromised as many as 18 million records, but Tony Scott, the White House’s chief information officer, said in an interview Tuesday that those estimates are off base. He said some of names on stolen files could be on other files, and officials are trying to “deduplicate” the files to tally the total number of affected people.
“It’s a number that nobody knows at this point,” he said. “Anybody who gives you a number is just speculating at this point.”
Katherine Archuleta, director of the OPM, will continue making the rounds in Washington, D.C., as she answers, or dodges, questions from lawmakers. This week, Archuleta will appear in front of the Senate Homeland Security Committee, and she will speak again to the House Oversight Committee.
While some have called for her resignation, Archuleta has passed the blame onto the OPM’s legacy systems. And on Wednesday, the OPM released its 15-step plan for bolstering its defense against cyberattacks, including a heavier reliance on encryption, two-factor authentication, and advising from outside security firms.
As the OPM is forced to reckon with its responsibility in this breach, questions remain about the source of the hack and the motive. Slate’s David Auerbach previously wrote, “We don’t know quite yet exactly how it happened or who did it, despite some eager gestures at China.” Congress’ inquiry into the hack coincides with U.S.-China talks this week—and cybersecurity is on the agenda.
Netizen Report: U.K. Spied on Human Rights Organizations in Egypt, South Africa
The Netizen Report offers an international snapshot of challenges, victories, and emerging trends in Internet rights around the world. It originally appears each week on Global Voices Advocacy. Ellery Roberts Biddle, Weiping Li, Hae-in Lim, and Sarah Myers West contributed to this report.
The U.K. Investigatory Powers Tribunal revealed that U.K. intelligence agency Government Communications Headquarters, or GCHQ, spied on two international human rights organizations, the South African Legal Resources Centre and Egyptian Initiative for Personal Rights. Both NGOs now are involved in a legal challenge against GCHQ, arguing the agency acted unlawfully and violated its own secret procedures.
The Egyptian Initiative for Personal Rights has long defended the rights of Egyptians to express themselves freely and without fear in public spaces both online and off. The tribunal found that the organization’s Internet communications were intercepted, accessed, and then unlawfully "retained for materially longer than permitted." The news was disheartening for privacy and free expression advocates in Egypt, who typically focus on the surveillance activities of their own government. Authorities in Egypt routinely target advocates in this sector, often on grounds of preserving national security in the face of increasingly powerful violent crime groups.
In a decision that Privacy International described as “astonishing,” the tribunal did not find that GCHQ's interception of the NGOs' communications was itself unlawful. Instead, it was GCHQ's failure to follow its own secret procedures that resulted in the unlawful conduct.
Privacy International has appealed the case to the European Court of Human Rights.
Got a dirty mouth? Then stay off WhatsApp.
WhatsApp users in the United Arab Emirates may want to watch their language while using the app: Under new rules, people swearing online at others could be fined 250,000 UAE dirhams (about $68,000) and even jailed. The Federal Supreme Court recently overturned a case where a man was fined 3,000 dirhams (about $816) after being convicted of swearing at another person on WhatsApp—the court found the punishment to be too weak.
The right to be forgotten, Kremlin-style
Russia’s parliament gave initial approval for a new law that would emulate the EU’s rules on the “right to be forgotten,” requiring search engines to remove outdated or irrelevant personal information from search results on request from users. The law would depart from the EU regulation in one important respect: It would force search engines to remove information about a person even if it is in the public interest. Yandex, Russia’s biggest search engine, is opposing the bill. Global Voices’ Tanya Lokot previews what the Russian Internet might look like if the bill becomes law.
Kenyan blogger still missing after nearly two years
Kenyans have been tweeting about the mysterious fate of blogger and former AFP correspondent Bogonko Bosire. The author of the controversial Jackal News blog disappeared almost two years ago after publishing a series of reports on the International Criminal Court case against former President Uhuru Kenyatta. Bosire has not been seen since September 2013.
Thai man sentenced to 25 years in jail for “defaming the monarchy”
Thai Facebook user Tiensutham S. was arrested and sentenced to 50 years in prison for “defaming the monarchy” in several Facebook posts written between July and November 2014. His sentence was reduced to 25 years after he confessed to these crimes.
Singapore authorities order teen video blogger to be evaluated for autism
Singaporean blogger Amos Yee was arrested and now has been sent to rehabilitation for a video he posted criticizing the nation’s founder, Lee Kuan Yew, shortly after Lee’s death. Yee has been charged with offending the religious sentiments of Christians and circulating obscene material and may soon be evaluated for autism. His case has sparked a heated debate over the role of free expression in the Asian city-state.
No more mobile for foreigners in North Korea (at least for now)
North Korean mobile provider Koryolink issued a notice saying that 3G Internet service will no longer be available in the country. Koryolink, which is the country’s sole provider of mobile Internet service, offered no information on when services would be available again. North Koreans have no access to the global Internet, but foreign residents and visitors have historically been able to use mobile SIM cards. The reason for the service cut remains unclear.
U.N. Working Group calls for release of Syrian Web developer
The United Nations Working Group on Arbitrary Detention issued a position on the situation of Bassel Khartabil (aka Safadi), a Web developer and transparency advocate who worked with Creative Commons, Mozilla, and other open-Web organizations. Khartabil has been jailed in Syria since March 2012. The working group considers his detention "arbitrary" and has called for his immediate release.
Better late than never, Bing hops on encryption train
Microsoft announced that it will begin encrypting Bing searches by default. This means that Microsoft will let advertisers know that the traffic came from a Bing search, but the precise search term will not be disclosed. Microsoft acknowledged that “this change may impact marketers and webmasters, [but] we believe that providing a more secure search experience for our users is important.” Google and Yahoo made encrypted search defaults in 2011 and 2014, respectively.
This System Lets You See in Front of That Enormous Semi on the Highway
Few things make the open road seem less so than a looming semi truck. When you find yourself behind one, the world ahead disappears. With it goes any sense of road conditions, sometimes making passing dangerous and other hazards difficult to anticipate. That's my sense, at any rate, having only ever been in the passenger seat while on the highway. What I know for sure is that in the United States alone, the Federal Motor Carrier Safety Administration has recorded tens of thousands of truck-related crashes a year, many of them fatal.
Now, Samsung thinks it has engineered a partial solution, finding a way to turn large trucks into a resource for other drivers rather than a liability to them. According to a post on the company’s official blog, its researchers developed a system in which a wireless camera on the nose of a truck feeds video to an array of four large screens on the rear of the trailer. With its wide field of view, this video stream can provide drivers behind the truck with information about oncoming traffic and other conditions on the road ahead.
Samsung explains that it tested a prototype of this system in Argentina. While that experiment has been discontinued, the company plans to carry out further tests in order to ensure that its technology complies with “existing national protocols” and other standards. The blog post offers no indication as to when Samsung expects to take the next steps. In the meantime, it has released an exciting video of that demonstrates how today’s technology might make tomorrow’s roads a little safer.
Jury Awards $2.2 Million to Employees Over DNA Tests in “Devious Defecator” Case
Atlas Logistics Group Retail Services, a grocery distributor, was concerned when it discovered piles of feces in the aisles of its warehouses—and in its canned goods. So Atlas pressured warehouse workers to submit to a cheek swab, then extracted their DNA and compared it with the DNA found in the excretion. Jack Lowe and Dennis Reynolds, two Atlas workers, hesitantly gave over their DNA to Atlas and were cleared of the crime. They then sued their employer for violating federal law.
On Monday a jury in an Atlanta-based federal district court awarded Lowe and Reynolds a stunning $2.2 million: $475,000 in compensatory damages for mental pain, and $1.75 million in punitive damages as a deterrence to any company thinking about requesting its employers’ genetic material. U.S. District Judge Amy Totenberg had already ruled that Atlas violated the Genetic Information Nondiscrimination Act, or GINA, when it asked for Lowe and Reynold’s DNA. The astonishing jury award is expected to be lowered on appeal, but Lowe and Reynolds will probably walk away with a healthy sum.
The case—which Totenberg called “the mystery of the devious defecator”—is a helpful lesson in two respects. First, it teaches Atlas that the company must fire its attorneys immediately, because no marginally informed lawyer could possibly sign off on a scheme to collect employees’ DNA. Second, it reminds employers across the country that, yes, asking employers to turn over genetic material is totally illegal. Under GINA, no employer may “request, require, or purchase genetic information with respect to an employee.” That broad wording ensures that even when a poop bandit is on the loose in a food warehouse, management is absolutely barred from whipping out the DNA swabs.
Silly as this “devious defecator” case may seem, GINA is actually an incredibly important nondiscrimination law. Without GINA, employees might be terrified to take doctor-mandated genetic tests, for fear that an employer would request the results—and fire them if they were likely to fall seriously ill. Atlas may have only used Lowe and Reynolds’ DNA to absolve them of the poop crime. But once it had their genetic information, the company could map out their likely biological destinies. GINA is really a civil rights law for the 21st century. And as Monday’s verdict proves, the law is doing its job commendably.