7 Reasons Security Wonks Should Watch the State of the Union Tonight


US President Barack Obama delivers the State of the Union address January 28, 2014.

US President Barack Obama delivers the State of the Union address January 28, 2014. Larry Downing/AFP/Getty Images



President Obama has left few questions about what he plans to unveil in his State of the Union address tonight, having dropped several previews in the last two weeks about legislation the White House is proposing. He will undoubtedly go into more detail tonight at 9 p.m. ET, and we will be watching specifically to hear him expand on comments already made about proposed changes to cybersecurity legislation (.pdf).


The State of the Union address is traditionally the vehicle for the president to reveal his legislative agenda for the year to Congress. With Republicans now in charge of both houses, President Obama did something he hasn’t done in the six State of Unions he’s delivered before tonight—he took his agenda to the public first. The point of this public tactic is no doubt to win support for his new proposals outside the Beltway, applying pressure on Capitol Hill.


There are several areas of the address that will be of interest to WIRED Threat Level readers. Some of them involve changes to the existing Computer Fraud and Abuse Act, some of them involve new legislative proposals.


1. Information-Sharing About Computer Intrusions


Obama has proposed legislation that would give companies certain immunity for sharing information with the government about breaches they experience. The move is meant to help the government predict and combat cyberattacks by encouraging companies to share threat data with the Department of Homeland Security and information-sharing and analysis centers—known as ISACs—without fear of potential lawsuits from customers. Similar legislation was proposed in the past but failed to gain traction due, in part, to concerns from civil liberties groups that the data could include information that violates the privacy of customers and provides the government with another avenue for conducting warrantless surveillance. Of particular concern to privacy groups is a provision of the new proposal that would allow DHS to further share the information in “near real time” with other government agencies, including the FBI, Secret Service, NSA, and the Defense Department’s U.S. ­Cyber Command.


Groups like the Electronic Frontier Foundation are concerned that personal information shared with law enforcement and intelligence agencies might be used for purposes other than combating cyber threats. But the White House has pointed out that in order to qualify for immunity under the proposal legislation, companies would be required to remove unnecessary personal information before handing it off to DHS. The White House proposal also calls for imposing limits on how and when the data can be used and tasks DHS and the Justice Department with developing guidelines for its retention and use.


2. 30-Day Breach Notification


The White House is also proposing a federal breach notification law. This would require entities that are hacked—private companies, educational institutions and government agencies, for example—to notify victims within 30 days after discovering that their personally identifiable information has been stolen or accessed by an unauthorized person. The proposal attempts to resolve disparities between a patchwork of state breach notification laws that are confusing and costly to enforce.


3. Expansion of Federal Law Deterring Spyware


The White House proposal would allow the government to seize any proceeds gained from the sale of spyware or other tools intended to be used for unlawful data interception. In the wake of a recent indictment against the maker of a spyware app called StealthGenie, this is meant to target all sellers of spyware and stalkingware. StealthGenie is a spy app for iPhones, Android phones and Blackberry devices that was marketed primarily to people who suspected their spouse or lover of cheating on them, but products like it are also used by stalkers and perpetrators of domestic violence to track their victims. The app secretly recorded phone calls and siphoned text messages and other data from a target’s phone, all of which customers of the software could view online. Authorities arrested CEO Hammad Akbar, a 31-year-old Pakistani resident, last October following his indictment in Virginia on federal wiretapping charges, which included conspiracy to market and sell the surreptitious interception device. “Advertising and selling spyware technology is a criminal offense, and such conduct will be aggressively pursued by this office and our law enforcement partners,” U.S. Attorney Dana J. Boente of the Eastern District of Virginia said in a statement about the case.


Although it’s not uncommon for the makers of illicit tools used in criminal hacking to be charged with illegal activity, it’s often the case that the developers of such tools are also its surreptitious users. The case against Akbar was remarkable for its focus on the seller of a commercial software program who wasn’t accused of using the tool for illegal purposes. The government argued that the maker of such software is liable as an enabler of a privacy invasion.


4. Give Courts Authority to Shut Down Botnets


Botnets, or armies of infected machines, are used by cybercriminals to deliver spam, conduct denial-of-service attacks and distribute malware. A burgeoning business has developed to supply spammers and cybercriminals with access to readymade bots by renting them time on the hijacked machines. The White House proposal would give courts the authority to shut down botnets and would also give immunity to anyone complying with such an order as well as authorize officials to reimburse someone who incurs a monetary cost for complying with the order. The proposal is meant to cement authority that has already been exercised by courts in a few cases—notably the Coreflood botnet case in which a federal court granted the FBI a controversial order to distribute code to infected machines to disable the botnet malware on those systems.


5. Criminalize the Sale of Stolen Financial Data


It’s already illegal to steal financial data or use it for fraudulent purposes, and it’s illegal to traffic in stolen data, but the White House is proposing to put a fine point on the law by criminalizing the overseas sale of stolen U.S. credit card and bank account numbers. The proposal targets the vendors on and administrators of underground carding forums—many of them hosted and administered outside the U.S.—where stolen credit card data is traded and sold.


6. Cybercrime Can Be Prosecuted Like Mob Crimes


The White House proposes to affirm that the federal RICO statute or racketeering law applies to cybercrimes. Although conspiracy to commit fraud is already included in the Computer Fraud and Abuse Act and covers individuals who may not actually commit a crime but facilitate it in some way or are involved in the planning of it, this change further codifies that they can also be charged under the RICO statute. Mark Jaycox, legislative analyst for the EFF, says the RICO statute sets a lower bar for prosecuting anyone who belongs to a criminal organization no matter their role in it. This would potentially allow even the most minor player in a hacking conspiracy to be prosecuted under the RICO statute. And Jaycox notes that RICO doesn’t actually define “organization,” therefore there is concern that prosecutors could get creative in their definition of it.


7. Additional Changes to the Computer Fraud and Abuse Act


The White House is proposing several changes to the federal anti-hacking statute, which was originally passed in 1984 during the early days of hacking and has struggled to keep pace with the changing nature of computer intrusions. The CFAA prohibits unauthorized access to a computer whether that involves bypassing protections on the computer—such as in the case of hacking—or exceeding authorized access to a computer for unauthorized purposes (for example, an employee who has legitimate access to his company’s database but uses that access to steal data). Currently, basic hacking is considered a misdemeanor unless it’s done for profit or for the furtherance of another crime. As for exceeding authorized access, George Washington University law professor Orin Kerr points out that courts are currently divided over what constitutes a violation of this.


The proposed changes would turn a basic case of unauthorized access into a felony punishable by a sentence up to three years or up to ten years in some cases if it’s considered a hack for profit or for the furtherance of another crime.


The proposal also attempts to clarify the kind of activity that is considered unauthorized access. It states that access is unauthorized any time a user accesses information “for a purpose that the accesser knows is not authorized by the computer owner.” This is likely meant to address problems that occurred with the prosecution of Andrew “weev” Auernheimer. Auernheimer was convicted of hacking an AT&T web site by using a vulnerability in the site that allowed anyone to obtain the unprotected email addresses of iPad customers. His defense attorneys argued that this wasn’t unauthorized since by posting the information online and failing to protect it, AT&T had essentially authorized anyone in the world to access it. The government argued, however, that Auernheimer knew AT&T did not intend for users to access the data in the way he did and therefore it was unauthorized. The White House proposal, according to Kerr, could be intended to strengthen the government’s stance in similar cases in the future.


“[T]he expansion of ‘exceeding authorized access’ would seem to allow lots of prosecutions under a ‘you knew the computer owner wouldn’t like that’ theory,” Kerr wrote in a Washington Post column last week. “And that strikes me as a dangerous idea, as it focuses on the subjective wishes of the computer owner instead of the individual’s actual conduct.”


Ordinarily, Auernheimer’s act, if considered a violation, should have been a misdemeanor, but the government charged him with a felony by saying that his unauthorized access was in furtherance of another crime—a New Jersey state law against unauthorized access. Defense attorneys considered this a double-counting of a single offense and Auernheimer’s conviction was later overturned.


The White House proposal appears to address this. For example, it states that simple unauthorized access is a felony if done against a government computer, if the value of the data exceeds $5,000 or if it’s done in furtherance of a state or federal felony crime. But if, in the latter case, the state or other federal violation is “based solely on obtaining the information without authorization or in excess of authorization”—that is, with no other additional crime than this, then it would not qualify for a felony. Kerr says the wording is tricky, however, and could be interpreted as a means to address the double-counting problem that prosecutors encountered with the Auernheimer case. As long as the law governing the other state or federal felony crime is not just about unauthorized access but includes an additional element to it then a defendant could be charged with a felony for exceeding authorized access based on the combination of the CFAA and the state law.


“If the state unauthorized access crime has just one element beyond unauthorized access such as ‘obtaining information,’ the thinking would run, the violation is not based ‘solely on obtaining the information without authorization,” Kerr notes. “That will usually be the case, though, which to my mind introduces a serious double counting problem…. Given that the Administration’s proposals would make liability for breaching a written condition a felony where the theory is allowed — mostly serious 10-year maximum felonies — the double-counting problem gives me some heartburn.”


The White House also proposes to make it illegal to traffic in any tool that provides the “means of access” to a computer, if the maker has reason to believe someone could use it for illegal purposes. This is meant to criminalize the sale or trading of stolen passwords or similar credentials but the proposal also refers to trafficking in “any other means of access” to a computer. Critics are concerned that the latter could be interpreted to outlaw the sale or distribution of penetration tools or exploit code—code that is used by cyber criminals to attack vulnerabilities in computer systems to gain access to them. This matters because exploits and penetration tools are also used by security professionals to determine if a system is vulnerable to attack. Jaycox says this is the most dangerous part of the White House changes to the CFAA.


“They’re potentially killing the security tools researchers use to find security holes,” he says. “The chilling effect this may have on researchers is enormous.”


In summary, Kerr says on the whole he’s “skeptical” of the administration’s proposals for the CFAA since they would make some punishments too severe and “expand liability in some undesirable ways.” But he notes that the administration has also made some compromises. “They’re giving up more than they would have a few years ago, and there are some promising ideas in there,” he noted in his assessment.


It will all depend on which of the proposals, if any, lawmakers decide to adopt and how they word their changes.



Stop the Lies: Facebook Will Soon Let You Flag Hoax News Stories


Remember when Sarah Palin joined Al Jazeera America? Or Paul Krugman declared bankruptcy?


Neither of these stories were true. But in a social-media-driven news cycle that moves at perpetual warp speed, these falsehoods raced out ahead of the facts.


Now Facebook, clearly self-conscious about its role as a leading venue where these lies spread, is trying to enlist its own users as crusaders for accuracy. In a blog post on Tuesday, the company said it was adding an option to its social networking service that will let users flag news stories as hoaxes. If you elect to hide a post in your Facebook News Feed, the company explains, you will be able to flag it as “a false news story,” in much the same way you can flag pornographic and violent content today.


news-feed-fewer-hoaxes-report-a-story-as-false

Facebook



The more times a post is flagged as false, the less often it will show up in News Feeds, the company says. Facebook won’t delete heavily flagged posts, but they could end up with a disclaimer: “Many people on Facebook have reported that this story contains false information.”


Nonetheless, this effort to crowd-source journalistic accuracy carries its dangers. Think The New York Times is a liberal rag spreading dangerous left-wing propaganda? Click. Think Fox News is run by a bunch of shills for the Koch brothers? Click. It’s not like Facebook is asking for corroborating fact-checking before letting you click a button.


But Facebook claims the process works. “Stories that include scams, or deliberately misleading news, are reported two and a half times more often than links to other news stories,” Facebook engineer Erich Owens and researcher Udi Weinsberg wrote.


The High Stakes of Hoaxes


Whether or not the crowd is as wise to journalistic fraud as Facebook hopes, the stakes for the company are high. As Facebook continues to grow in importance as a driver of traffic to online publishers’ sites, <<a href="http://ift.tt/1o8ebBV">clickbait mills have sprung up to feed on social media users’ gullibility in the chase for ad dollars. Some of these sites’ proprietors claim they’re doing satire, but satire that doesn’t really try to be funny is pretty much just lying. And the more these lies spread, the more Facebook’s brand is tarnished.


Google faced a similar problem a few years back as content farms figured out how to game search, deluging users’ top results with low-quality links. The search giant changed its algorithms, and content farms withered. Facebook faces a thornier problem, since its own users are in part culpable when fake news spreads.


One way to fight the virality of falsehood is to take Facebook’s approach and turn the dial down on how often such stories show up for users. But in doing so, the company calls attention to the fact that the News Feed is not neutral. Facebook has not only an ability but an interest in exerting control over what you see and click. It’s not a conspiracy. But it’s another reminder that if you rely on social media alone for news, you might not be getting the whole story.



That Solar-Powered Plane Is Almost Ready for Its Round-the-World Flight


solar impulse golden gate bridge

Solar Impulse/J. Revillard



As soon as next month, a single-seat, solar-powered plane with a wingspan longer than that of a Boeing 747 will take off on a five-month journey around the planet. This morning, the team behind Solar Impulse 2, the 5,000-pound plane powered by nothing butwest sunshine, announced the route pilots Bertrand Piccard and André Borschberg will follow, starting and ending in Abu Dhabi.

The solar panels that cover the wings and fuselage of Solar Impulse 2 charge up four extra-efficient batteries, which make up a quarter of the plane’s weight. Those power its 17.4-horsepower motors, enough to move the plane at 20 to 90 mph (hey, this isn’t exactly the Concorde). The plane and its predecessor, Solar Impulse 1, have already completed flights across the United States and overnight. But this journey will send it across oceans for the first time.


The key to staying aloft for up to five days at a time—necessary when flying across the Pacific at the speed of a professional cyclist—is charging up the batteries during the day time and cruising at up to 28,000 feet. When the sun sets, the plane descends to about 5,000 feet, converting altitude into distance. Also key: the cockpit seat reclines so the pilot can sleep, and doubles as a toilet. All told, Piccard and Borschberg will cover 22,000 miles and spend about 500 hours in the air, the equivalent of three weeks. The 60-person support team will be monitoring weather systems to change the route as necessary.


In late February or early March, they will take off from Abu Dhabi and head east, stopping first in Muscat, Oman, then in Ahmedabad and Varanasi, India. After stops in Mandalay, Myanmar, and Chongquing and Nanjing in China, the plane will cross the Pacific, landing in Hawaii en route to Phoenix. Next up is a stop somewhere in the Midwest (TBD based on weather conditions), then a touchdown at New York’s JFK airport. From there, Solar Impulse 2 will cross the Atlantic, landing in either Southern Europe or North Africa, and then head back to Abu Dhabi.


The point of the flight isn’t to produce commercially viable solar-powered planes. Battery-powered aircraft are in their infancy, even those that can charged up with a cord and an outlet. It’s all about proving what’s possible. “When the Apollo astronauts went to the moon, it wasn’t to launch tourism on the moon and open hotels and make money,” Piccard says. “It was to inspire the world.”



Microsoft Snags a Machine-Learning Startup to Help You Sort All That Data


20130219-MICROSOFT-OUTLOOK-039edit

Ariel Zambelich/WIRED



Microsoft has agreed to acquire Equivio, an Israeli-based startup that uses machine learning to sort large amounts of data into relevant groups.


On Tuesday, Rajesh Jha, Microsoft’s corporate vice president of Outlook and Office 365, announced the news on the company blog, writing that Equivio’s technology would help Microsoft customers deal with “the legal and compliance challenges inherent in managing large quantities of email and documents.” That’s because Equivio uses text analysis software to sift through large amounts of unstructured data and place documents and other pieces of text into relevant groups. The end goal is to save Microsoft’s corporate clients time and money.


“Businesses and governments around the world generate enormous volumes of data every day,” Jha wrote. “Traditional techniques for finding relevant documents are falling behind as the growth of data outpaces peoples’ ability to manually process it.”


This move by Microsoft is just the most recent example of how machine learning, technology once relegated to research and development labs, is pervading the tools and apps we use everyday. We use it every time we ask Siri for listings of nearby restaurants and every time Google Now gives you preemptive information on traffic before you have an upcoming appointment. It’s part of Amazon product recommendations and Facebook’s facial recognition tools. Now, Microsoft wants to bring it to its email and office services, too.


Equivio is already widely used by law firms and government agencies. Its machine learning capabilities help people in the legal profession find and transfer electronic files for eDiscovery. Users can also train Equivio’s technology to recognize and group certain types of documents together. In bringing these additional capabilities to its Office and Outlook products, Microsoft is clearly looking for new ways to stay competitive with other companies, including Google, which have developed increasingly popular tools for document management in recent years.


“Microsoft is serious about providing customers with tools to manage the legal and compliance requirements that are key to responsible business practices,” Jha wrote. “Office 365 includes robust eDiscovery and information governance capabilities today, and we’ll use Equivio’s machine learning technology to make these vital tools even more intelligent and easy to use in the months ahead.”



7 Reasons Security Wonks Should Watch the State of the Union Tonight


US President Barack Obama delivers the State of the Union address January 28, 2014.

US President Barack Obama delivers the State of the Union address January 28, 2014. Larry Downing/AFP/Getty Images



President Obama has left few questions about what he plans to unveil in his State of the Union address tonight, having dropped several previews in the last two weeks about legislation the White House is proposing. He will undoubtedly go into more detail tonight at 9 p.m. ET, and we will be watching specifically to hear him expand on comments already made about proposed changes to cybersecurity legislation (.pdf).


The State of the Union address is traditionally the vehicle for the president to reveal his legislative agenda for the year to Congress. With Republicans now in charge of both houses, President Obama did something he hasn’t done in the six State of Unions he’s delivered before tonight—he took his agenda to the public first. The point of this public tactic is no doubt to win support for his new proposals outside the Beltway, applying pressure on Capitol Hill.


There are several areas of the address that will be of interest to WIRED Threat Level readers. Some of them involve changes to the existing Computer Fraud and Abuse Act, some of them involve new legislative proposals.


1. Information-Sharing About Computer Intrusions


Obama has proposed legislation that would give companies certain immunity for sharing information with the government about breaches they experience. The move is meant to help the government predict and combat cyberattacks by encouraging companies to share threat data with the Department of Homeland Security and information-sharing and analysis centers—known as ISACs—without fear of potential lawsuits from customers. Similar legislation was proposed in the past but failed to gain traction due, in part, to concerns from civil liberties groups that the data could include information that violates the privacy of customers and provides the government with another avenue for conducting warrantless surveillance. Of particular concern to privacy groups is a provision of the new proposal that would allow DHS to further share the information in “near real time” with other government agencies, including the FBI, Secret Service, NSA, and the Defense Department’s U.S. ­Cyber Command.


Groups like the Electronic Frontier Foundation are concerned that personal information shared with law enforcement and intelligence agencies might be used for purposes other than combating cyber threats. But the White House has pointed out that in order to qualify for immunity under the proposal legislation, companies would be required to remove unnecessary personal information before handing it off to DHS. The White House proposal also calls for imposing limits on how and when the data can be used and tasks DHS and the Justice Department with developing guidelines for its retention and use.


2. 30-Day Breach Notification


The White House is also proposing a federal breach notification law. This would require entities that are hacked—private companies, educational institutions and government agencies, for example—to notify victims within 30 days after discovering that their personally identifiable information has been stolen or accessed by an unauthorized person. The proposal attempts to resolve disparities between a patchwork of state breach notification laws that are confusing and costly to enforce.


3. Expansion of Federal Law Deterring Spyware


The White House proposal would allow the government to seize any proceeds gained from the sale of spyware or other tools intended to be used for unlawful data interception. In the wake of a recent indictment against the maker of a spyware app called StealthGenie, this is meant to target all sellers of spyware and stalkingware. StealthGenie is a spy app for iPhones, Android phones and Blackberry devices that was marketed primarily to people who suspected their spouse or lover of cheating on them, but products like it are also used by stalkers and perpetrators of domestic violence to track their victims. The app secretly recorded phone calls and siphoned text messages and other data from a target’s phone, all of which customers of the software could view online. Authorities arrested CEO Hammad Akbar, a 31-year-old Pakistani resident, last October following his indictment in Virginia on federal wiretapping charges, which included conspiracy to market and sell the surreptitious interception device. “Advertising and selling spyware technology is a criminal offense, and such conduct will be aggressively pursued by this office and our law enforcement partners,” U.S. Attorney Dana J. Boente of the Eastern District of Virginia said in a statement about the case.


Although it’s not uncommon for the makers of illicit tools used in criminal hacking to be charged with illegal activity, it’s often the case that the developers of such tools are also its surreptitious users. The case against Akbar was remarkable for its focus on the seller of a commercial software program who wasn’t accused of using the tool for illegal purposes. The government argued that the maker of such software is liable as an enabler of a privacy invasion.


4. Give Courts Authority to Shut Down Botnets


Botnets, or armies of infected machines, are used by cybercriminals to deliver spam, conduct denial-of-service attacks and distribute malware. A burgeoning business has developed to supply spammers and cybercriminals with access to readymade bots by renting them time on the hijacked machines. The White House proposal would give courts the authority to shut down botnets and would also give immunity to anyone complying with such an order as well as authorize officials to reimburse someone who incurs a monetary cost for complying with the order. The proposal is meant to cement authority that has already been exercised by courts in a few cases—notably the Coreflood botnet case in which a federal court granted the FBI a controversial order to distribute code to infected machines to disable the botnet malware on those systems.


5. Criminalize the Sale of Stolen Financial Data


It’s already illegal to steal financial data or use it for fraudulent purposes, and it’s illegal to traffic in stolen data, but the White House is proposing to put a fine point on the law by criminalizing the overseas sale of stolen U.S. credit card and bank account numbers. The proposal targets the vendors on and administrators of underground carding forums—many of them hosted and administered outside the U.S.—where stolen credit card data is traded and sold.


6. Cybercrime Can Be Prosecuted Like Mob Crimes


The White House proposes to affirm that the federal RICO statute or racketeering law applies to cybercrimes. Although conspiracy to commit fraud is already included in the Computer Fraud and Abuse Act and covers individuals who may not actually commit a crime but facilitate it in some way or are involved in the planning of it, this change further codifies that they can also be charged under the RICO statute. Mark Jaycox, legislative analyst for the EFF, says the RICO statute sets a lower bar for prosecuting anyone who belongs to a criminal organization no matter their role in it. This would potentially allow even the most minor player in a hacking conspiracy to be prosecuted under the RICO statute. And Jaycox notes that RICO doesn’t actually define “organization,” therefore there is concern that prosecutors could get creative in their definition of it.


7. Additional Changes to the Computer Fraud and Abuse Act


The White House is proposing several changes to the federal anti-hacking statute, which was originally passed in 1984 during the early days of hacking and has struggled to keep pace with the changing nature of computer intrusions. The CFAA prohibits unauthorized access to a computer whether that involves bypassing protections on the computer—such as in the case of hacking—or exceeding authorized access to a computer for unauthorized purposes (for example, an employee who has legitimate access to his company’s database but uses that access to steal data). Currently, basic hacking is considered a misdemeanor unless it’s done for profit or for the furtherance of another crime. As for exceeding authorized access, George Washington University law professor Orin Kerr points out that courts are currently divided over what constitutes a violation of this.


The proposed changes would turn a basic case of unauthorized access into a felony punishable by a sentence up to three years or up to ten years in some cases if it’s considered a hack for profit or for the furtherance of another crime.


The proposal also attempts to clarify the kind of activity that is considered unauthorized access. It states that access is unauthorized any time a user accesses information “for a purpose that the accesser knows is not authorized by the computer owner.” This is likely meant to address problems that occurred with the prosecution of Andrew “weev” Auernheimer. Auernheimer was convicted of hacking an AT&T web site by using a vulnerability in the site that allowed anyone to obtain the unprotected email addresses of iPad customers. His defense attorneys argued that this wasn’t unauthorized since by posting the information online and failing to protect it, AT&T had essentially authorized anyone in the world to access it. The government argued, however, that Auernheimer knew AT&T did not intend for users to access the data in the way he did and therefore it was unauthorized. The White House proposal, according to Kerr, could be intended to strengthen the government’s stance in similar cases in the future.


“[T]he expansion of ‘exceeding authorized access’ would seem to allow lots of prosecutions under a ‘you knew the computer owner wouldn’t like that’ theory,” Kerr wrote in a Washington Post column last week. “And that strikes me as a dangerous idea, as it focuses on the subjective wishes of the computer owner instead of the individual’s actual conduct.”


Ordinarily, Auernheimer’s act, if considered a violation, should have been a misdemeanor, but the government charged him with a felony by saying that his unauthorized access was in furtherance of another crime—a New Jersey state law against unauthorized access. Defense attorneys considered this a double-counting of a single offense and Auernheimer’s conviction was later overturned.


The White House proposal appears to address this. For example, it states that simple unauthorized access is a felony if done against a government computer, if the value of the data exceeds $5,000 or if it’s done in furtherance of a state or federal felony crime. But if, in the latter case, the state or other federal violation is “based solely on obtaining the information without authorization or in excess of authorization”—that is, with no other additional crime than this, then it would not qualify for a felony. Kerr says the wording is tricky, however, and could be interpreted as a means to address the double-counting problem that prosecutors encountered with the Auernheimer case. As long as the law governing the other state or federal felony crime is not just about unauthorized access but includes an additional element to it then a defendant could be charged with a felony for exceeding authorized access based on the combination of the CFAA and the state law.


“If the state unauthorized access crime has just one element beyond unauthorized access such as ‘obtaining information,’ the thinking would run, the violation is not based ‘solely on obtaining the information without authorization,” Kerr notes. “That will usually be the case, though, which to my mind introduces a serious double counting problem…. Given that the Administration’s proposals would make liability for breaching a written condition a felony where the theory is allowed — mostly serious 10-year maximum felonies — the double-counting problem gives me some heartburn.”


The White House also proposes to make it illegal to traffic in any tool that provides the “means of access” to a computer, if the maker has reason to believe someone could use it for illegal purposes. This is meant to criminalize the sale or trading of stolen passwords or similar credentials but the proposal also refers to trafficking in “any other means of access” to a computer. Critics are concerned that the latter could be interpreted to outlaw the sale or distribution of penetration tools or exploit code—code that is used by cyber criminals to attack vulnerabilities in computer systems to gain access to them. This matters because exploits and penetration tools are also used by security professionals to determine if a system is vulnerable to attack. Jaycox says this is the most dangerous part of the White House changes to the CFAA.


“They’re potentially killing the security tools researchers use to find security holes,” he says. “The chilling effect this may have on researchers is enormous.”


In summary, Kerr says on the whole he’s “skeptical” of the administration’s proposals for the CFAA since they would make some punishments too severe and “expand liability in some undesirable ways.” But he notes that the administration has also made some compromises. “They’re giving up more than they would have a few years ago, and there are some promising ideas in there,” he noted in his assessment.


It will all depend on which of the proposals, if any, lawmakers decide to adopt and how they word their changes.



Facebook Wants to Stop the Lies by Letting Users Flag News Hoaxes



Jon Snyder/WIRED



Remember when Sarah Palin joined Al Jazeera America? Or Paul Krugman declared bankruptcy?


Neither of these stories were true. But in a social-media-driven news cycle that moves at perpetual warp speed, these falsehoods raced out ahead of the facts.


Now Facebook, clearly self-conscious about its role as a leading venue where these lies spread, is trying to enlist its own users as crusaders for accuracy. In a blog post on Tuesday, the company said it was adding an option to its social networking service that will let users flag news stories as hoaxes. If you elect to hide a post in your Facebook News Feed, the company explains, you will be able to flag it as “a false news story,” in much the same way you can flag pornographic and violent content today.


news-feed-fewer-hoaxes-report-a-story-as-false

Facebook



The more times a post is flagged as false, the less often it will show up in News Feeds, the company says. Facebook won’t delete heavily flagged posts, but they could end up with a disclaimer: “Many people on Facebook have reported that this story contains false information.”


Nonetheless, this effort to crowd-source journalistic accuracy carries its dangers. Think The New York Times is a liberal rag spreading dangerous left-wing propaganda? Click. Think Fox News is run by a bunch of shills for the Koch brothers? Click. It’s not like Facebook is asking for corroborating fact-checking before letting you click a button.


But Facebook claims the process works. “Stories that include scams, or deliberately misleading news, are reported two and a half times more often than links to other news stories,” Facebook engineer Erich Owens and researcher Udi Weinsberg wrote.


The High Stakes of Hoaxes


Whether or not the crowd is as wise to journalistic fraud as Facebook hopes, the stakes for the company are high. As Facebook continues to grow in importance as a driver of traffic to online publishers’ sites, <<a href="http://ift.tt/1o8ebBV">clickbait mills have sprung up to feed on social media users’ gullibility in the chase for ad dollars. Some of these sites’ proprietors claim they’re doing satire, but satire that doesn’t really try to be funny is pretty much just lying. And the more these lies spread, the more Facebook’s brand is tarnished.


Google faced a similar problem a few years back as content farms figured out how to game search, deluging users’ top results with low-quality links. The search giant changed its algorithms, and content farms withered. Facebook faces a thornier problem, since its own users are in part culpable when fake news spreads.


One way to fight the virality of falsehood is to take Facebook’s approach and turn the dial down on how often such stories show up for users. But in doing so, the company calls attention to the fact that the News Feed is not neutral. Facebook has not only an ability but an interest in exerting control over what you see and click. It’s not a conspiracy. But it’s another reminder that if you rely on social media alone for news, you might not be getting the whole story.



That Solar-Powered Plane Is Almost Ready for Its Round-the-World Flight


solar impulse golden gate bridge

Solar Impulse/J. Revillard



As soon as next month, a single-seat, solar-powered plane with a wingspan longer than that of a Boeing 747 will take off on a five-month journey around the planet. This morning, the team behind Solar Impulse 2, the 5,000-pound plane powered by nothing but sunshine, announced the route pilots Bertrand Piccard and André Borschberg will follow, starting and ending in Abu Dhabi.

The solar panels that cover the wings and fuselage of Solar Impulse 2 charge up four extra-efficient batteries, which make up a quarter of the plane’s weight. Those power its 17.4-horsepower motors, enough to move the plane at 20 to 90 mph (hey, this isn’t exactly the Concorde). The plane and its predecessor, Solar Impulse 1, have already completed flights across the United States and overnight. But this journey will send it across oceans for the first time.


The key to staying aloft for up to five days at a time—necessary when flying across the Pacific at the speed of a professional cyclist—is charging up the batteries during the day time and cruising at up to 28,000 feet. When the sun sets, the plane descends to about 5,000 feet, converting altitude into distance. Also key: the cockpit seat reclines so the pilot can sleep, and double as a toilet. All told, Piccard and Borschberg will cover 22,000 miles and spend about 500 hours in the air, the equivalent of three weeks. The 60-person support team will be monitoring weather systems to change the route as necessary.


In late February or early March, they will take off from Abu Dhabi and head west, stopping first in Muscat, Oman, then in Ahmedabad and Varanasi, India. After stops in Mandalay, Myanmar, and Chongquing and Nanjing in China, the plane will cross the Pacific, landing in Hawaii en route to Phoenix. Next up is a stop somewhere in the Midwest (TBD based on weather conditions), then a touchdown at New York’s JFK airport. From there, Solar Impulse 2 will cross the Atlantic, landing in either Southern Europe or North Africa, and then head back to Abu Dhabi.


The point of the flight isn’t to produce commercially viable solar-powered planes. Battery-powered aircraft are in their infancy, even those that can charged up with a cord and an outlet. It’s all about proving what’s possible. “When the Apollo astronauts went to the moon, it wasn’t to launch tourism on the moon and open hotels and make money,” Piccard says. “It was to inspire the world.”



Microsoft Acquires Machine Learning Startup To Help You Clean Up That Mess of Data


20130219-MICROSOFT-OUTLOOK-039edit

Photo: Ariel Zambelich/Wired



Microsoft has agreed to acquire Equivio, an Israeli-based startup that uses machine learning to sort large amounts of data into relevant groups.


On Tuesday, Rajesh Jha, Microsoft’s corporate vice president of Outlook and Office 365, announced the news on the company blog, writing that Equivio’s technology would help Microsoft customers deal with “the legal and compliance challenges inherent in managing large quantities of email and documents.” That’s because Equivio uses text analysis software to sift through large amounts of unstructured data and place documents and other pieces of text into relevant groups. The end goal is to save Microsoft’s corporate clients time and money.


“Businesses and governments around the world generate enormous volumes of data every day,” Jha wrote. “Traditional techniques for finding relevant documents are falling behind as the growth of data outpaces peoples’ ability to manually process it.”


This move by Microsoft is just the most recent example of how machine learning, technology once relegated to research and development labs, is pervading the tools and apps we use everyday. We use it every time we ask Siri for listings of nearby restaurants and every time Google Now gives you preemptive information on traffic before you have an upcoming appointment. It’s part of Amazon product recommendations and Facebook’s facial recognition tools. Now, Microsoft wants to bring it to its email and office services, too.


Equivio is already widely used by law firms and government agencies. Its machine learning capabilities help people in the legal profession find and transfer electronic files for eDiscovery. Users can also train Equivio’s technology to recognize and group certain types of documents together. In bringing these additional capabilities to its Office and Outlook products, Microsoft is clearly looking for new ways to stay competitive with other companies, including Google, which have developed increasingly popular tools for document management in recent years.


“Microsoft is serious about providing customers with tools to manage the legal and compliance requirements that are key to responsible business practices,” Jha wrote. “Office 365 includes robust eDiscovery and information governance capabilities today, and we’ll use Equivio’s machine learning technology to make these vital tools even more intelligent and easy to use in the months ahead.”



Panasonic’s Quick-Shooting Lumix GF7 Is the Latest Selfie-Friendly Serious Camera


Now that phones are the go-to shooters for most people, compact cameras are following the phone’s lead. They’ve adopted touchscreen controls, added built-in Wi-Fi, and they offer Instragram-style filters in their software.


This year’s cameras are tackling another phone trend: They want to help you take better selfies.


The latest selfie-friendly camera is the Panasonic Lumix GF7, a 16-megapixel Micro Four-Thirds model with an adjustable 3-inch touchscreen. Like the Samsung NX Mini, Sony a5100, Olympus PEN E-PL7, and the Fujfilm X-A2 before it, this new compact interchangeable-lens shooter’s screen flips 180 degrees to let you check yourself out while you shoot. The first cameras with twisting screens shipped about a decade ago, but now that selfies have become a phenomenon, the front-flippable display has once again become a high priority on these compacts.


The GF7 eases selfie-snapping even further with some clever AI. It automatically enters selfie mode when you flip the screen up all the way. There’s Face Shutter, which fires a picture when you wave your hand. And there’s Buddy Shutter, which automatically captures a shot when you stand next to Pauly Shore and a pal squeeze together in front of the camera.


Along with built-in Wi-Fi and NFC, there’s another trick when you pair the camera with a smartphone. Using your phone’s accelerometer, “Jump Snap” calculates when you reach the apex of a jump and snaps a shot at that moment. In other words, it has a Nerf basketball selfie mode.


But how many selfies can you take per second with this camera? The answer is nearly six per second with autofocus enabled. You can also take 40 photographs of yourself per second without AF at a lower resolution. Can you take good selfies in the dark, where your phone sucks at taking selfies? Probably, because the ISO ramps up to 25600.


Spec-wise, the GF7 looks plenty capable if you’re more interested in otheries or landscapies instead of selfies. There are manual exposure controls and aperture-/shutter-priority modes, as well as exposure-bracketing options and RAW shooting mode.


As with most Panasonic cameras, video should be a strong suit. The GF7 records 1080p/60fps video in MP4 or AVCHD Progressive format, as well as 1080p/24fps video in AVCHD. You can also use the touchscreen to transition between focus points while you’re recording video.


For the feature set, the Lumix GF7 is nicely priced. It’ll go for $600 as a kit with a 12-32mm/F3.5-5.6 lens (24mm to 64mm in 35mm equivalent). Will it be available in pink? Yes dude. Also, black.



Lyft Is Finally Ditching the Furry Pink Mustache




It’s hard not to think of Uber as a goliath. The smartphone taxi company is operating in fifty countries, and it’s raised nearly $3 billion in funding to date. It’s often doing things that people find unlikeable. And then there’s Lyft, which hasn’t yet expanded outside of the U.S., and has raised just $300 million, a comparatively modest sum. Lyft is the underdog. Lyft is David. Thing is, it’s hard to work a slingshot when you’re wearing a gigantic pink mustache.


The oversized facial hair has been a defining part of Lyft’s brand from the start. Strapped to the front of drivers’ cars, the furry pink mustache quickly became a ubiquitous sight on San Francisco streets after the company’s founding in 2012. Lyft liked it because it was whimsical and irreverent. Most important, says Lyft President John Zimmer, it made people smile. Today, however, Zimmer admits the ‘stache isn’t for everyone. “It was this big giant fuzzy thing,” he says. “If you were going to an important business meeting, it might not be the best way to roll up.”


Lyft-web-gallery-08

Josh Valcarcel/WIRED



That’s why Lyft built the “glowstache.” Think of it as mustache 2.0. It’s a small, plastic mustache, about the size of a banana, designed to float on Lyft drivers’ dashboards using magnets. At night, it emits a gentle pink glow. It’s meant to replace the familiar fuzzy ‘staches and grow up the company’s image; Lyft will start sending them out to drivers this month. The glowstache is little less cute, a little more cool. Still friendly, still fun—just not overbearingly so.


The Origin of the Carstache


The original furry mustache, dubbed the “carstache,” dates back to 2010, two years before Lyft came into existence. It was invented by Ethan Eyler. At first, it was pretty much just Eyler driving around San Francisco with one on his car. A tweet from Khloe Kardashian helped generate some buzz. Around then, John Zimmer got in touch with Eyler and put in an order for some twenty of the mustaches—he thought they’d make for good gag gifts for investors of his ride-sharing startup, ZimRide. Later, when ZimRide transformed into Lyft, Zimmer had the idea to put a mustache on the front of every car. Soon after, Eyler joined Lyft as brand manager.


Today, the challenge of refining Lyft’s signature whimsy falls largely to Jesse McMillan, the company’s new creative director, who joined last summer after a successful stint at Virgin America. From the start, McMillan knew the mustache its original furry form was polarizing. “People were either like, ‘I love it,’ or ‘I never want to get in a car like that,'” he explains. McMillan tells me this in a room inside Lyft’s San Francisco office that could serve as a carstache museum. Every surface is covered with prototype mustaches. There are experimental mustaches made of astroturf, and mustaches that jiggle unseemingly when you poke them. There’s a case with a bunch of rubber mustaches in all different shades of pink. One of them is actually bright red, resembling nothing so much as Gene Simmons’ disembodied tongue.


Lyft-web-gallery-07

Josh Valcarcel/WIRED



When McMillin came on board last year, Lyft was already in the process of rethinking its iconic mustache. Eyler and co. had tapped Ammunition, the design studio behind Beats by Dre, to help generate some fresh ideas. Lyft wanted something enduring and iconic—a sort of 21st Century update of the taxi light.


Ammunition’s designers came up with all sorts of concepts. There were hood ornaments and laser-light window decals. They even considered ditching the mustache altogether. Eventually, the group settled on the understated direction for the new accessory. “When you see it now, you probably think it seems obvious. But it’s actually challenging from a design perspective.” says Robert Brunner, Ammunition’s founder. “Trying to productize an identity—turning any identity into an object that has function is not an easy thing to do. And in a way, we were maturing the icon, but we didn’t want to mature it. So that’s real tricky.”


Modern, Fresh, and Acceptable to Everyone


Jesse McMillin.

Jesse McMillin. Lyft





On one level, the glowstache meant to be easier for drivers to use. It sits on a flexible adhesive pad, which can cling to the contours of any dashboard. Thanks to precisely-placed magnets, it snaps into place satisfyingly and stands upright without fuss. The convenience factor was important; for many drivers, the novelty of the original carstache started to wear off somewhere around the twentieth time they had to get out and latch it to their grill. “The reality is, people were using it less and less,” Zimmer says. When people did use it, the thing wasn’t always sending the best message about the company itself. “A lot of times you’d see people driving around and it was cockeyed, or matted, or windblown,” McMillin says.

Symbolically, the glowstache is meant to reflect a more mature Lyft. Zimmer says it’s “more modern, more fresh, and also more acceptable for everyone.” As McMillin puts it, it’s more up to speed with how the Lyft sees itself today—as a pioneering tech company, one capable of building sophisticated products like Lyft Line, which elegantly and automatically coordinates shared rides among separate users.


Zimmer is adamant that Lyft isn’t leaving its roots behind. To him, the company’s still about community—and making smile. The new corporate symbol is, after all, still a bright pink mustache. he points out. But Zimmer does hope the glowstache can help nudge Lyft’s brand toward more aspirational territory, citing McMillan’s former employer, Virgin America, as inspiration. Zimmer admires the details that set Virgin apart from other airlines, like the soothing lighting and leather seats. But he’s also attracted to the clientele: hipsters and business people sitting side by side.