FBI can’t cut Internet and pose as cable guy to search property, judge says

FBI can’t cut Internet and pose as cable guy to search property, judge says
“This is a monumental ruling protecting Americans’ privacy in the modern age.”
By David Kravets
Apr 18 2015

A federal judge issued a stern rebuke Friday to the Federal Bureau of Investigation’s method for breaking up an illegal online betting ring. The Las Vegas court frowned on the FBI’s ruse of disconnecting Internet access to $25,000-per-night villas at Caesar’s Palace Hotel and Casino. FBI agents posed as the cable guy and secretly searched the premises.

The government claimed the search was legal because the suspects invited the agents into the room to fix the Internet. US District Judge Andrew P. Gordon wasn’t buying it. He ruled that if the government could get away with such tactics like those they used to nab gambling kingpin Paul Phua and some of his associates, then the government would have carte blanche power to search just about any property.

“Permitting the government to create the need for the occupant to invite a third party into his or her home would effectively allow the government to conduct warrantless searches of the vast majority of residents and hotel rooms in America,” Gordon wrote in throwing out evidence the agents collected. “Authorities would need only to disrupt phone, Internet, cable, or other ‘non-essential’ service and then pose as technicians to gain warrantless entry to the vast majority of homes, hotel rooms, and similarly protected premises across America.”

The government had urged the court to uphold the search, arguing that it employs “ruses every day in its undercover operations.” (PDF) The government noted that US judges have previously upheld government ruses to gain access into dwellings.

In 1966, the Supreme Court authorized an agent to pose as a drug buyer to get consent to go inside a house. In 1980, an agent posing as a drug dealer’s chauffeur was upheld. Seven years later, agents posed as real estate investors to access a bedroom and closet of a suspect. And in 1989, an agent posed as a UPS delivery man to get inside a drug house, the government argued.

But operatives posing as gas company or water district workers seeking permission to enter the premises to check for leaks were deemed illegal searches. That’s because the occupants provided “involuntary” consent to enter because they were duped into believing a life-threatening emergency was afoot, Phua’s defense pointed out.

In the Phua case, the FBI and a Nevada gaming official clandestinely filmed the rooms while building a case that ultimately accused Phua, his son, and others of running a World Cup soccer bookmaking ring where “hundreds of millions of dollars in illegal bets” were taking place. The investigation started last summer when Caesars Palace staff got suspicious that the men were ordering a substantial amount of electronic gear and Internet connections.

The seven other defendants reached plea deals, but Phua challenged the search on constitutional grounds. The court’s decision likely ends the case against the 50-year-old Malaysian.


Op-ed: Why the entire premise of Tor-enabled routers is ridiculous

Op-ed: Why the entire premise of Tor-enabled routers is ridiculous
Unless you use Tor Browser Bundle for everything, you’re going to be spied upon.
By Nicholas Weaver
Apr 18 2015

Ars recently reviewed two “Tor routers”, devices that are supposed to improve your privacy by routing all traffic through the Tor anonymity network. Although the initial release of Anonabox proved woefully insecure, the basic premise itself is flawed. Using these instead of the Tor Browser Bundle is bad: less secure and less private than simply not using these “Tor Routers” in the first place. They are, in a word, EPICFAIL.

There are four possible spies on your traffic when you use these Tor “routers”, those who can both see what you do and potentially attack your communication: your ISP, the websites themselves, the Tor exit routers, and the NSA with its 5EYES buddies.

Now it’s true that these devices do protect you against your ISP. And if your ISP wants to extort over $30 per month for them to not spy on you, this does offer protection. But if you want protection from your ISP, just use a VPN service or run your own VPN using Amazon EC2 ($9.50/month plus $.09/GB bandwidth for a t2 micro instance). These services offer much better performance and equal privacy. At the same time, if your ISP wants to extort your privacy, choose a different ISP.

The second spy is websites, and the nest of privacy trackers, advertisement trackers, permacookies, browser fingerprints, and other elements that make up the modern Web. Websites know who you are, and if you happen to also visit from elsewhere, they can know where you’ve been. If you visit the same site from a Starbucks, your non-Tor behavior can be tracked and linked to your Tor behavior.

The third is the Tor network. Tor is run by volunteers, and anyone (willing to put up with a bit of grief) can run an “exit node”, a system which routes traffic from Tor onto the general Internet.

Not only is this a public service, but running an exit node offers the opportunity to play spy, observing or even modifying all unencrypted traffic coming through the relay. And it’s not just security researchers: malicious Tor exit nodes have even actively modified downloaded binaries! Its obvious, but normal Web surfers are not affected by malicious Tor nodes, only Tor users.

Last but hardly least, there are the spooks. EPICFAIL isn’t just some joke, but the name of an actual NSA program explicitly designed to deanonymize and track Tor users. For a large number of tracking cookies, the NSA’s wiretaps record where they are seen, links them to other tracking cookies and, where possible, identifies the users, shipping the results back to a central database accessible through MARINA.

EPICFAIL simply takes advantage of the NSA’s existing pool of information. When the NSA’s database records a tracking cookie from both a Tor exit node and a non-Tor IP, it simply notes this fact. There are several data structures (such as Bloom filters) which make the check easy to perform when ingesting this data. Now to deanonymize a Tor user, the analyst just looks up the associated tracking cookies through EPICFAIL, finds their identities, and goes from there.

So not only does using these Tor routers not hide you from the NSA, it specifically marks your behavior as “interesting” and worthy of further examination!


FCC approves ‘historic’ plan to let broadband providers and military share spectrum

FCC approves ‘historic’ plan to let broadband providers and military share spectrum
By Chris Welch
Apr 17 2015

The FCC on Friday approved a plan that will allow broadband providers and other companies to use and share spectrum that until now has been held mostly by the United States military. “Since they don’t make spectrum anymore, and since spectrum is the pathway of the 21st century, we have to figure out how we’re going to live with a fixed amount,” said FCC Chairman Tom Wheeler said during Friday’s session. “Sharing is key to that.” The Citizens Broadband Radio Service (CBRS) plan — yes, that’s a mouthful — will open frequencies from 3550MHz to 3700MHz to commercial companies; right now, they’re mostly being used by radar systems belonging to the US Army and Navy.

These airwaves don’t travel very fall or provide strong wall penetration, and it’ll likely be years before your smartphone can harness them. But eventually, they could be used to bolster small cell deployments, LTE hotspots, and other applications that companies haven’t figured out yet. Wheeler spoke of the benefits of the FCC’s “historic” shared approach last month in a blog post. At that time, he said:

The 3.5 GHz band is an innovation band. As a result of technological innovations and new focus on spectrum sharing, we can combine it with adjacent spectrum to create a 150 megahertz contiguous band previously unavailable for commercial uses. It provides an opportunity to try new innovations in spectrum licensing and access schemes to meet the needs of a multiplicity of users, simultaneously. And, crucially, we can do all of this in a way that does not harm important federal missions.

The military won’t have to worry about interference

So how does the FCC intend to prevent interference in those frequencies? It’s got a plan. The proposal calls for a three-tiered system; at the top is the federal government along with other users already running satellite and radar services on the 3.5GHz band. They’re guaranteed protection from interference caused by those operating in the lower two tiers. (The Defense Department can also establish exclusion zones around the coasts where commercial users aren’t allowed.) One step below that, the FCC will auction off short-duration licenses that are also shielded from interference from the lowest tier, which is called the General Authorized Access tier. This is most similar to unlicensed spectrum in that any company with an FCC-certified device won’t need additional approval from the commission to start using the shared spectrum.

Nothing’s happening yet, though; in approving the proposal, the FCC also said it will open up another public comment period to address the many complexities of shared spectrum. But tech companies and the FCC’s own commissioners are excited. “This is big,” said Commissioner Jessica Rosenworcel, describing the FCC’s move as “a paradigm shift that paves the way for new services, new technologies, and more mobile broadband.”

Comcast/TWC merger may be blocked by Justice Department

Comcast/TWC merger may be blocked by Justice Department
US antitrust lawyers reportedly close to filing lawsuit to block deal.
By Jon Brodkin
Apr 17 2015

Department of Justice (DOJ) antitrust lawyers are “nearing a recommendation” to block Comcast’s proposed acquisition of Time Warner Cable, Bloomberg reported today.

To prevent the merger, the DOJ would have to sue in federal court and prove that the transaction is likely to reduce competition. The DOJ has made no public announcement, but Bloomberg cited anonymous sources while reporting that “The antitrust lawyers will present their findings to Renata Hesse, a deputy assistant attorney general for antitrust, who will decide, along with the division’s top officials, whether to file a federal lawsuit to block the deal.”

The findings could be submitted as soon as next week, Bloomberg wrote.
There is also a separate review underway at the Federal Communications Commission that could block the deal if it finds it is not in the public interest. The FCC could also approve the deal and impose conditions designed to benefit consumers, as it did when Comcast bought NBCUniversal in 2011.

Comcast has argued that the merger of the two largest cable companies in the nation would not limit competition because they don’t compete against each other for customers in any city or town. Opponents have argued that increasing Comcast’s size would give it too much power in negotiations with TV programmers and online video providers.

DOJ opposition sank a previous proposed merger between AT&T and T-Mobile in 2011. But Comcast could try to defeat the DOJ in court.

“There is no basis for a lawsuit to block the transaction,” Comcast VP of Government Communications Sena Fitzmaurice told Bloomberg. The merger “will result in significant consumer benefits—faster broadband speeds, access to a superior video experience, and more competition in business services resulting in billions of dollars of cost savings.”

Time Warner Cable spokesman Bobby Amirshahi also told Bloomberg that “we have been working productively with both DOJ and FCC and believe that there is no basis for DOJ to block the deal.”

Earlier today, a few dozen organizations wrote to FCC Chairman Tom Wheeler that “the sheer size and scope of a combined Comcast/Time Warner Cable, coupled with its incentive to protect its core video business from innovative ‘over-the-top’ online video providers, would allow it to threaten nascent competition in so many different ways.” The letter, signed by Dish, Cogent, Common Cause, Free Press, the NTCA Rural Broadband Association, Consumers Union, and others, said there are no conditions that could prevent the harms of the merger.

EU hits Google with antitrust charge in search, is investigating Android

EU hits Google with antitrust charge in search, is investigating Android
Europe’s anti-trust investigation may widen to include other Google services.
By Glyn Moody
Apr 15 2015

As expected, the European Commission has sent a formal “Statement of Objections” to Google alleging the company has abused its dominant position in the EU’s general search market by systematically favoring its own comparison shopping product in search results. The Commission believes this infringes EU antitrust rules because it “stifles competition and harms consumers.”

Separately, the Commission has also opened an antitrust investigation into Google’s Android offerings: “[It] will focus on whether Google has entered into anti-competitive agreements or abused a possible dominant position in the field of operating systems, applications and services for smart mobile devices.”

Speaking today at the press conference in Brussels, the EU Commissioner in charge of competition policy, Margrethe Vestager, said: “dominance as such is not a problem. However, dominant companies have a responsibility not to abuse their powerful market position by restricting competition, either in the market where they are dominant or in neighboring markets.” The specific allegation is that Google systematically gives favorable treatment to its comparison shopping product Google Shopping in its general search results pages.

Vestager emphasized that the Commission did not want to interfere in the design of the results screen, or to lay down how Google’s search algorithms worked. “I think it will be difficult to supervise the algorithm,” she said. Instead, it was “important to find something guided by principles, that leaves the algorithm and screen design as the responsibility of Google.” Vestager said that she wanted to “work with principles that can be future-proofed.” This is presumably to avoid a repeat of the EU’s experience in its previous major anti-trust action against Microsoft, for bundling Internet Explorer with Windows. In that case, the remedy—to use a browser ballot screen—had became largely redundant by the time it was finally implemented, since many users had already migrated to alternatives.

Establishing general principles would also allow them to be applied elsewhere, Vestager believes. “I think if infringement is proven, a case that focuses on shopping could potentially establish a broader precedent how we enforce EU competition rules in other instances if we find a favoring of services closely related to general search.” She said that the European Commission was still “actively looking into the other markets—mapping, hotels, flight—to get a deeper understanding,” before deciding whether to bring actions against Google for those too. In addition, the EU still has “concerns with regard to [Google’s] copying of rivals’ web content (known as ‘scraping’), advertising exclusivity and undue restrictions on advertisers,” so the company has plenty to worry about.

Google has published its first response to the European Commission’s actionsin a post on its European policy blog, entitled “The Search for Harm.” It includes a variety of graphs showing visitors to travel and shopping sites in the main European markets to support its claim that: “While Google may be the most used search engine, people can now find and access information in numerous different ways—and allegations of harm, for consumers and competitors, have proved to be wide of the mark.”

Throughout the press conference, Vestager emphasized that the European Commission’s concerns were not about the market, but the actions of key players in it: “we’re not here to create a market, to pick winners, we’re here to enforce EU competition law.” She said that it was of “tremendous importance to know that no matter what market, no matter what consumer behavior, there will be someone looking into [a company’s] behavior if they’re misusing their dominant position.” And as she pointed out: “when complaints are made, we investigate them.”


It wasn’t easy, but Netflix will soon use HTTPS to secure video streams

It wasn’t easy, but Netflix will soon use HTTPS to secure video streams
Netflix move leaves Amazon as the most visible no-show to the Web crypto party.
By Dan Goodin
Apr 16 2015

Netflix will soon use the HTTPS protocol to authenticate and encrypt customer streams, a move that helps ensure what users watch stays secret. The move now leaves Amazon as one of the most noticeable no-shows to the Web encryption party.

Flipping on the HTTPS switch on Netflix’s vast network of OpenConnect Appliances (OCAs) has been anything but effortless. That’s because the demands of mass movie streaming can impose severe penalties when transport layer security (TLS) is enabled. Each Netflix OCA is a server-class computer with a 64-bit Xeon CPU running the FreeBSD operating system. Each box stores up to 120 terabytes of data and serves up to 40,000 simultaneous, long-lived connections, a load that requires as much as 40 gigabits per second of continuous bandwidth. Like Amazon, Netflix has long encrypted log-in pages and other sensitive parts of its website but has served movie streams over unsecured HTTP connections. Netflix took the unusual step of announcing the switch in a quarterly earnings letter that company officials sent shareholders Tuesday.

Failed experiment

Netflix first experimented with TLS-protecting customer streams six months ago when it dedicated several servers to deliver only HTTPS traffic to a subclass of users and compared the results to similarly situated servers serving HTTP streams. The results weren’t encouraging. There was as much as a 53-percent capacity hit. The penalty was the result of the additional computational requirements of the encryption itself and the lost ability to use certain Netflix streaming optimizations. The optimizations involve avoiding data copies to and from a server’s user space, something that’s not possible with HTTPS turned on.

“This is not a capacity hit we can absorb in the short term, and we estimate the costs over time would be in the $10s to $100’s of millions per year,” Netflix Director of Streaming Standards Mark Watson wrote in an October 2014 e-mail to W3C public listservs. Netflix decided to forgo the HTTPS rollout until it could get costs in line.

On Wednesday, Watson was back to say Netflix had made enough progress that it was ready to begin rolling out HTTPS for both the entire site and the content itself. Desktop browser tests will be at scale in the next three months, and the job should be completed in the coming year. The performance hit was stemmed by the some TLS optimizations Netflix engineers developed for high-bandwidth FreeBSD applications. The work was presented at this year’s Asia BSD conference.

“We now believe we can deploy HTTPS at a cost that, whilst significant, is well justified by the privacy returns for our users,” Watson wrote in a follow-up e-mail Wednesday. He didn’t quantify the current performance hit or cost that’s incurred now.

Watson’s account casts a new light on the conventional wisdom often cited by encryption advocates that the costs of switching to full-blown HTTPS are negligible. Netflix’s experiments suggest that the costs can be driven down by engineering, but the savings don’t come without a considerable amount of work.

“It’s not clear why that was, but I’m guessing it had to do with the way their servers were configured, the types of cipher suites they were using, lack of hardware, etc.,” Matt Green, a Johns Hopkins University professor and encryption expert, told Ars. “The fact that they’ve made so much progress in only six months probably means that the improvements were probably not so hard to make.”

In a paper that accompanied the Netflix presentation at the Asia BSD conference, engineers from Netflix and FreeBSD laid out a wealth of technical details that helped them realize the performance gains. They wrote:


Netflix will stop asking ISPs to exempt its videos from data caps

Netflix will stop asking ISPs to exempt its videos from data caps
Netflix regrets striking cap-exempt deal in Australia.
By Jon Brodkin
Apr 16 2015

Netflix says it regrets striking a deal that exempted its videos from data caps imposed by an Internet service provider and will avoid such arrangements in the future.

Netflix has criticized data caps on fixed broadband for years and said that when they are applied, they should be applied equally to all content. But in Australia, where data cap exemption deals are common, the company negotiated with iiNet to exempt Netflix video from the ISPs’ caps.

One month later, Netflix said in its quarterly letter to shareholders yesterday that it was a mistake:

Data caps inhibit Internet innovation and are bad for consumers. In Australia, we recently sought to protect our new members from data caps by participating in ISP programs that, while common in Australia, effectively condone discrimination among video services (some capped, some not). We should have avoided that and will avoid it going forward. Fortunately, most fixed-line ISPs are raising or eliminating data caps in line with our belief that ISPs should provide great video for all services in a market and let consumers do the choosing.

We asked Netflix this morning if the iiNet deal is the only one it has struck and whether it will pull out of the deal, but we haven’t heard back yet.

UPDATE: Netflix also has a cap exemption deal with Optus in Australia. Netflix also told Ars that it has altered the agreements with iiNet and Optus to free them of any obligation to exempt Netflix traffic from data caps. “We changed the terms of both deals though both companies decided to continue offering unmetered to their customers,” Netflix said.

Commenters have also pointed out that BT in the UK offers Netflix without having it count against broadband limits. “Netflix and BT have partnered together and new and existing TV customers can now purchase Netflix from BT,” BT says. If you buy Netflix directly from BT, “There are no limits: watch as much as you want.” This is only true if you watch Netflix on BT’s YouView system. “But [Netflix] will count towards your data allowance if you’re not on Unlimited Broadband and watch Netflix on other devices in the home,” BT says.