Exclusive Video: Tension, Dissension and Construction in Occupied DC

Occupy DC protestors hold the fort on Sunday night. Several men held the roof, while a larger group of men and women stayed inside on the ground level.

WASHINGTON — “Eat your heart out Zuccotti!” exclaimed Sophie Vic, chiding the far-more-celebrated former occupiers of Zuccotti Park in Manhattan.

Vic, camping in DC’s McPherson Square since October 6 while keeping her full-time day job, was literally jumping with excitement as compatriots assembled a 24-by-24-by-17-foot wooden meeting hall designed to hold 100 people.

It bent, to the breaking point, the definition of temporary structures that are allowed in the park by the National Park Service Police.

Occupiers had been hiding parts of the building in tents for several days. Around 12:00 AM Sunday morning, Wired witnessed the rest arriving in giant sections on a flatbed trailer, pulled by a pickup truck. Think modular home, with a sense of urgency.

After two and a half hours marked by frequent glances for cops, about 50 occupiers had nailed and screwed together the modules – made of two-by-fours and particleboard – and hoisted them up, Amish-barn-raising style.

The People's Pentagon went up in the wee hours of Sunday morning when National Park Service police were not around to see it.

“And if the cops say ‘Take it down,’ we’ll say, No, you guys try,” declared the designer, an architect who went by only the name Paul.

“If they want to take it down, they’re going to have to hire a wrecking crew,” said David Givens, an occupier who had helped build the structure.

Naturally, the cops obliged less than a day later, but only after a 12-hour media stunt that ended with police on ladders and in a cherry picker wrestling Givens off the roof. Coming just before a week of national protests in the capital, the mini-drama both revived DCs Occupy momentum and revealed its fissures.

Unlike nearly all occupations, DC until Sunday had essentially no legal friction no scuffles, pepper spraying or arrests and hence very little attention.

Senator Demands Telcos & HTC Come Clean on Carrier IQ

Sen. Al Franken (D-Minnesota) wants handset manufacturers and mobile carriers to explain what user data is being vacuumed to Carrier IQ, whose software is secretly installed on about 150 million mobile phones in the United States.

Franken is demanding that Sprint, HTC and AT&T cough up some answers, though the senator should also consider asking T-Mobile as well, because it uses Carrier IQ.

Carrier IQ, which records info so that carriers can troubleshoot their networks, came under intense scrutiny the past week after a Connecticut-based Android developer posted aYouTube video showing the software has enormous access to usage information.

Last week, Franken demanded that Carrier IQ, of Mountain View, California, explain what data it is siphoning from handsets. On Friday, in an on-site interview, Carrier IQ spilled the beans to Wired, saying it has the capacity to log web usage, and to chronicle where and when and to what numbers calls and text messages were sent and received. The company said it cannot read contents of text messages, although the company days before said it could.

Carrier IQ said it was up to each company or handset manufacturer to decide what data is siphoned.

Facebook Flaw Exposes Private Photos

A flaw in Facebook’s image reporting tool allows users to view the private photos of other users, including those of Facebook founder Mark Zuckerberg — like the one at the top of this story.

The flaw was found by members of a bodybuilding forum, who discovered that if they reported a public Facebook photo for abuse – using the tool that Facebook offers to report nudity or pornography – they could access other nonpublic photos for the same user they’re reporting, according to ZDNET.

Facebook’s tool asks the reporting user to help Facebook “take action by selecting additional photos to include with your report” then displays a handful of other private photos belonging to the individual that’s being reported. The person reporting the abuse, can then rifle through the user’s other images.

Members of the bodybuilder forum used the flaw to peruse the images of women they found attractive. They then targeted Zuckerberg and began viewing his private photos, and posted some of them to an image site.

Facebook told ZDNET it’s investigating.

The FTC recently slapped Facebook’s hand for deceiving users into thinking that their information would be kept private, although it was “repeatedly” shared with the public.

The deal, which carries no financial penalties, demands that the social-networking site obtain “express consent” of their 850 million users before their information “is shared beyond the privacy settings they have established.”

Carrier IQ spyware controversy highlights mobile app access missteps

Security experts say the Carrier IQ software, designed to stealthily transmit a wealth ofsmartphone usage data to wireless carriers and vendors, is a serious enterprise security threat andhighlights the need for greater transparency about the data being collected.

Carrier IQ has heightenedscrutiny and awareness of what data is being collected and not being collected and how a user getsnotified.

VP of marketing, Redwood City

Security researcher Trevor Eckhart recently discovered the CarrierIQ software on a variety of Android mobile devices, and is capable of running on otherplatforms including those from BlackBerry and Nokia. The software, used by AT&T, Sprint andT-Mobile, is intended to provide metrics to mobile carriers, but it is not always optional; in manycases users dont know it is on their devices.

Eckhart said he found Carrier IQ running in the background on his HTC device, and that itappeared to be tracking nearly all interactions on his mobile phone, from monitoring key pressesand browsing history, to location data and SMS logs.

Experts warn that enterprises should educate device owners about the permissions they give tocertain mobile applications. An unknown number of mobile applications collect potentially sensitivedata because users are often too quick to give elevated mobileapp access privileges.

Device owners are more likely to have problems from quickly installing applications that theydont know much about, said Cameron Camp, a research systems manager at San Diego-based antivirusvendor ESET LLC. The problem here isnt that Carrier IQ or the mobile operators are doing evilthings; they clearly havent been fully transparent and thats what people are taking issuewith.

The goal of the software, according to Carrier IQ, is to help mobile operators improve servicequality. In a statement, Carrier IQ said Eckhart's research doesnt show how the applicationprocesses the data and what data is transmitted from the device. Carrier IQ said its applicationcaptures only data specified by carriers according to their privacy standards and agreements withusers. Other researchers have validated Carrier IQ'sclaims. Researcher Dan Rosenberg reversed engineered the Carrier IQ software and found that itdoes not record SMS messages or keystrokes.

Eckhart's research shows the Carrier IQ software runs like a rootkit, stealthily sniffing data.Rootkits, tools orprograms used to mask software or network intrusions, are typically used only by malicious hackers.Experts said the discovery draws comparisons to the rootkit-baseddigital rights management (DRM) system installed in 2005 by Sony BMG Music Entertainment Inc.to prevent CD copying.

The discovery of the software has raised ire in the security community and among privacyadvocates, who say both Carrier IQ and mobile carriers are failing to provide transparency into thedata they collect. Author and security expert Bruce Schneier calledCarrier IQ"spyware" and speculated that it is just one of multiple iterations of surveillance software inuse by mobile platform providers.

Romania-based antivirus vendor BitDefender has issued an Android application designed to detectthe Carrier IQ software.  Most users presume their devices are free from spyware and Trojans,said Catalin Cosoi, head of BitDefenders Online Threats Lab. The Carrier IQ software fails thetransparency test, Cosoi said, and degrades trust.

We have mobile analytics and applications for PCs to send statistics, but this should be onlyanonymous data and the user has to be informed that this information gets sent to serviceproviders, Cosoi said. There needs to be some kind of opt-out.

In some cases, poor coding practices result in an application that has too much access to deviceprocesses. Last year, two researchers demonstrated a variety of mobileapplication vulnerabilities and said the smartphone marketplaces have fostered a new wave ofless-skilled developers who build applications as quickly as possible to gain as much visibilityand profit as they can.

The kind of notifications given to users by mobile applications must be clear and should explainwhy an application needs to connect to a specific device resource, said Ahmed Datoo, vice presidentof marketing at Redwood City, Calif.-based mobile device management vendor Zenprise. Enterprisesface legal risks if they fail to establish mobile device security and privacy policies, Datoosaid.

Datoo said Zenprise uses a multiple tier approach in terms of notifying the user. For example, apop-up notification informs the user when location data is used by the Zenprise application. Thenotification appears, even if the user initially gave permission for the application to tap intothe devices global positioning system. The data is used by the Zenprise application to setlocation-based security policies.

Carrier IQ has heightened scrutiny and awareness of what data is being collected and not beingcollected and how a user gets notified, Datoo said. If an enterprise develops mobile applicationsit better make sure it communicates what it is collecting from the end user.

The UK Riot Commute: 2.2 Miles, On Average

Ever since this summer’s riots in England, it’s been clear that a significant portion of the participants traveled significant distances to join in.

For example, in my upcoming story for the January issue of Wired, I interview officials in Enfield, a suburb in the north of London, who say that a full 40 percent of the suspects in their riots hailed from outside the district, with some of them traveling from miles away, from neighborhoods on the other side of town.

But now we have some hard numbers. As part of Reading the Riots — a fantastic, newly-released collaboration between the Guardian newspaper and the London School of Economics — a data mapping company called ITO World analyzed how far arrested rioters traveled to take part in these events. Based on a sample of 400 court cases, they found that the average “riot commute” was 2.2 miles, as the crow flies, or 2.6 miles based on likely car distances.

Better yet, the firm made this fabulous animation, showing the commutes as they transpired over multiple days:

The longest recorded “commutes” were 8 miles. Guardian reporters even tracked down one participant who cut short an overseas holiday to fly back and take part in the riots: “Even though it was a waste of money, it was so worth it. If I could go back in time I wouldn’t change it. Absolutely worth it.” (The dataset that ITO World used was based on home addresses, so the man’s flight back doesn’t show up on the video, alas.)

Beyond the neat animation, this analysis supplies some hard figures in support of the idea — anecdotally observed at the time — that smartphones and social media played a significant role in the riots. Traditionally, urban riots have been largely localized affairs, even after the dawn of television made people aware of these events as they happened. But in the summer of 2011, better and faster and more socially tailored information allowed rioters to coordinate over miles: an average of 2.2, to be exact.

Carrier IQ Admits Holding Treasure Trove of Consumer Data, But No Keystrokes

MOUNTAIN VIEW, California — An embattled phone-monitoring software maker said Friday that its wares, secretly installed on some 150 million phones, have the capacity to log web usage, and to chronicle where and when and to what numbers calls and text messages were sent and received.

The Carrier IQ executives, speaking at their nondescript headquarters in a residential neighborhood in the heart of Silicon Valley, told Wired that the data they vacuum to their servers from handsets is vast — as the software also monitors app deployment, battery life, phone CPU output and data and cell-site connectivity, among other things. But, they said, they are not logging every keystroke as a prominent critic suggested.

The data, which gets downloaded from consumers’ phones roughly once a day, is encrypted during transit and also provided to carriers to enhance the “user experience,” these executives said.

“We do recognize the power and value of this data,” Andrew Coward, the chief marketing officer, said. “We’re very aware that this information is sensitive. It’s a treasure trove.”

Carrier IQ came under intense scrutiny the last few days after a Connecticut-based Android developerposted a YouTube video showing the software has enormous access to usage information, and claiming that it logs a user’s every keystroke. The company was hit with privacy lawsuit on Friday. What’s more, Democratic Senator Al Frankendemanded answers, asking Carrier IQ’s chief executive Larry Lenhart whether Carrier IQ was vacuuming to Carrier IQ’s servers every stroke and communication.

Company executives invited Wired to Carrier IQ offices Friday to debunk the keystroke logging claim. Coward also emphasized that the software does not know the content of websites or apps or text messages or phone calls, but acknowledged that it does transmit website addresses to some carriers as a diagnostic tool.

“We’re seeing URLS and we can capture that information,” Coward said during the two-hour interview.

He said that the information is useful for users who call the phone company complaining, for example, that Facebook won’t load.The carrier’s operator, he said, might tell the complaining customer that the reason it won’t load is because the customer is misspelling “Facebook.”

“They could say, ‘Facebook is spelled F-A-C-E-B-O-O-K,’” he said. “We certainly recognize that as a future thing for advertising, clearly having that information from a marketing perspective is very interesting.”

Since the company is getting the URLs from the phone, they are able to record encrypted search terms such as https://www.google.com/#hl=en&sugexp=ppwe&cp=3&gs_id=p&xhr=t&q=abortion+clinics. By contrast, your carrier, which sits between you and the internet, would normally only see https://www.google.com/ — for encrypted searches.

Not all Carrier IQ’s customer carriers choose to turn on the “record the urls” function, but some do. How much data is sent to each carrier depends on how much they want. Some carriers might want the text-message data, for example, only when certain conditions are met, such as when a text doesn’t go through to the intended recipient.

The company holds onto the data for 10 to 30 days, depending on the carrier.

Coward said he was not aware of any carriers selling the data it collects on their behalf to third-party marketers. He said Carrier IQ “has no rights to the data collected.”

The software runs hidden from users, who generally can’t find it or uninstall it without very sophisticated knowledge or by switching out the operating system by “rooting” their phone and flashing an alternative operating system. While legal, rooting almost always voids a phone’s warranty.

HP printer vulnerabilities leave millions of printers susceptible to attack

Although computers and mobile devices seem to be at the top of cybercriminals hacking to-dolists nowadays, researchers from Columbia University are warning of a devastating hack attacktargeting local printers.

Compared to the problem that mobile phones and tablets pose to corporate networks, this is smallpotatoes

Ed Skoudis, senior security consultant, InGuardians

A new study from Columbia Universitys Department of Computer Science claims tens of millions ofHewlett-Packard printers are vulnerable to attack. According to HP, the flaws exist in its LaserJetprinters made before 2009, but researchers claim other brands could possibly harbor thevulnerabilities as well.

Few details have leaked regarding the printerattack research. According to an Internet Storm Center(ISC) blog entry, before installing a firmware update, the printers in question dont checkdigital signatures. The devices Remote Firmware Update feature doesnt require authentication oreven a password for the update to commence, making it easy for hackers to compromise the machines.Long story short, for an embedded system (or any system for that matter) if you can rewrite theoperating system you can control the device and make it do all sorts of unintended things, wroteJohn Bambenek, one of the ISCs blog handlers.

The researchers demonstrated an attacker theoretically could remotely set a printer on fire byoverheating a fuser, penetrating computer networks and erasing code. HP, however, released astatement claiming the charges are sensational and the possibility of the machines catchingfire is false, saying the LaserJet printers contain a thermal breaker is designed to prevent thisfrom happening.

However, the company did admit it has identified a potential security vulnerability but onlyif placed on a public Internet without a firewall.

Organizations shouldnt panic because the technical details havent yet been released, said EdSkoudis, a SANS instructor and a founder and senior security consultant with InGuardians, aWashington, D.C.-based information security consulting firm. Skoudis said enterprises shouldalready be monitoring their printers and ensuring they are not connected to the Internet. Keep the devices patched and set some network filtering to constrain the printer to a limited setof connections, Skoudis said.

Compared to the problem that mobile phones and tablets pose to corporate networks, this issmall potatoes, Skoudis said. This is interesting and unique because of the physical threat posedvia cyber-means, but we need more details before we can assess the risk.

 The Columbia University researchers are also claiming there is no easy way to detect abreach. Best practices are likely sufficient to prevent against this attack, namely, you shouldnever have printers (or any other embedded device for that matter) exposed to the Internet,Bambenek wrote. He added that other than firewalling the device, monitoring traffic to and from themachine for anything other than its print jobs should give users a sign that something isawry.

HP said it is working on a firmware upgrade to mitigate the issue, but in the meantime, usersshould, like Bambenek explained, secure the machines with a firewall and disable remote firmwareupload on exposed printers.

Networkprinters, scanners and copiers have long been identified as a potential attack vector becausethey often store sensitive documents in their print spool. A CBS News report in 2009 highlightedthe problem of digitalimages stored on photocopiers. The news organization pulled hundreds of student names, homeaddresses, cell phone and Social Security numbers stored in the copiers hard drive.

~SearchSecurity.com News Director Robert Westervelt contributed to this report.

 

Occupy Catch-22: Boston Cops Throw Out the Kitchen Sink

Boston Police move in swiftly and with heavy force to remove a sink from Occupy Boston

Yes, it has come to this — cops and Occupy protestors at one of the last major encampments in the United States are fighting over a kitchen sink.

Boston police moved in with heavy force on Thursday’s General Assembly meeting in Boston’s Dewey Square to remove a DIY grey-water sink intended to help Occupy Boston members wash their dishes and comply with sanitation requirements that the city says the encampment is violating.

But the Boston cops who surround the Financial camp day and night enforce an embargo on anything durable entering the camp. So after Occupiers gang-rushed the 10-foot-long industrial sink into the camp Thursday night, the cops forced their way into the camp to remove the ‘contraband.’

One officer guarded the sink, while he was surrounded by a cold and frustrated crowd chanting, “Let us do the dishes!”

The protesters, whom the city has claimed are unable to maintain a healthy and safe area for the Occupy, have been frustrated in their attempts to comply with a Boston PD policy that designates everything that isn’t clothing and food as “construction material” and bans it from entering the Occupy.

TheOccupy Boston blog explained on Friday morning:

We are being blocked from replacing our tents with flame-retardant, winterized tents; from adding stability to our fraying walkways; and from protecting the health and safety of our community. Meanwhile, the city, the fire marshal, and the Board of Health testify that we must address these issues. Were still figuring out how to make sense of this.

Protestors linked arms and surrounded the sink to block police from removing it, using the people’s mic to ask the police to cite the law they were enforcing. The officers remained silent — except for calling for backup, which soon appeared in abundance.

Special operations officers marched in and lifted the industrial-sized sink over the heads of seated protesters, then rushed it back out to the street where they loaded it in a police transport vehicle. The sink proved about two feet too long for the truck, and remained so, despite the repeated shoving of several officers.

Protestors, routed at the camp, ran into the street ahead of the police. They regrouped and locked arms in front of the truck as it tried to leave. While two officers guarded the still-dangling sink, other police formed a line arm-to-arm in front of the truck, resulting in a face-off.

Police and protester lines face off in a conflict over a sink, Thursday night.

Eventually, protestors relented and let the truck leave.

One man was arrested for assaulting a police officer, and the camp medics aided a women who reported by that she’d been struck by a police van, and appeared to have a dislocated knee. She was taken from the scene by ambulance.

Boston mayor Thomas Menino gave a visibly agitated interview on the subject to local news Friday morning.

“I’m not going to allow them to put up a kitchen sink in the occupied area of the city of Boston,” Menino said. “It’s beyond their rights. We’ll let them stay there; were not going to have them build a new town there.”

Mayor Menino and the Boston PD continue, for the moment, to “let them stay there” by generously obeying a restraining order issued against them by the Suffolk Superior Court that’s in effect until at least Dec. 15.

This post is part of a special series from Quinn Norton, who is embedding with Occupy protestors and going beyond the headlines with Anonymous for Wired.com. For an introduction to the series, read Quinn’s description of the project.

Photos: Quinn Norton/Wired

Duqu Trojan attackers cleaned their tracks well, analysis finds

Security researchers conducting extensive forensics on the command-and-control server networkconnected to the Duqu Trojanhave found the cybercriminals behind the malware were careful to cover their tracks.

We still do not know who isbehind Duqu and Stuxnet. Although we have analyzed some of the servers, the attackers have coveredtheir tracks quite effectively.

Vitaly Kamluk, Kaspersky Lab

A global cleanup operation took place on Oct. 20, just two days after a reportoutlined Duqu and its similarities to the Stuxnet worm, said Vitaly Kamluk, a malware expert atKaspersky Lab. In a detailed report of the analysis conducted by Kaspersky researchers, Kamluk saidhis team found more than a dozen command-and-control servers operating during the past three years.So far, the researchers have identified more than a dozen different Duqu varients, Kamluksaid.

We still do not know who is behind Duqu and Stuxnet, Kamluk wrote Wednesday in a blog postoutlining the latest Duquanalysis. Although we have analyzed some of the servers, the attackers have covered theirtracks quite effectively.

The Kaspersky researchers found evidence that supports the theory that those behind Duqu werewell-funded and had the technical expertise necessary to target specific companies, covertly obtainspecific data and then cover their tracks, leaving few clues for forensics investigators. Duqushared some of the same source code as Stuxnet, the notorious wormdesigned to disrupt specific SCADA system processes. Some security experts believe the Duqu Trojanwas designed to gather intelligence needed for a more serious attack against supervisory controland data acquisition (SCADA) systems.

According to the Kaspersky Lab analysis, the original Duqu malware samples were traced back to acommand-and-control server in India, which was remotely wiped just hours before the hosting companymade an image for investigators. The server in India was also connected to a server in Belgium aswell as servers in Vietnam and the Netherlands. Other servers were identified in Germany,Singapore, Switzerland, the UK and South Korea.

The servers were running CentOS Linux and were hacked by brute forcing the root password, Kamluksaid. The attackers have a burning desire to update OpenSSH 4.3 to version 5 as soon as they getcontrol of a hacked server, he wrote. The researchers surmised that the server was in Vietnam andwas used to control certain Duqu variants found in Iran.

Despite the deep analysis, researchers could not determine which server was the base for all ofthe infections. The researchers also could not corroborate a theory that the attackers used azero-day vulnerability against OpenSSH 4.3 on CentOS.

Many other servers were used as part of the infrastructure, some of them used as main C&Cproxies while others were used by the attackers to jump around the world and make tracing moredifficult, Kamluk wrote. The attackers wiped every single server they had used as far back as2009 in India, Vietnam, Germany, the UK and so on.

Groups Petition for Right to Hack the Xbox, Back Up DVDs

Xbox awaiting 'jailbreaking' modification

The public could be allowed to copy DVDs onto their tablets and unlock video-game consoles to run home-brewed games if regulators side with public interest groups’ new requests to amend federal intellectual-property law.

Every three years, the U.S. Copyright office entertains requests to create temporary loopholes in the law that makes it a crime to circumvent encryption technologies — even in items that you buy. Just last year, the office decreed that it was finally legal to “jailbreak” smart phones so that iPhone users could install apps that Apple didn’t approve.

This season’s big-ticket requests to amend the Digital Millennium Copyright Act include one from Public Knowledge seeking legalization of technology that lets you copy encrypted movie DVDs. That could give movie fans the ability to watch legally purchased movies on the devices of their choice and make backup copies of children’s movies — which as any parent knows can get scratched beyond playability in no time.

But many movie DVDs are encrypted with so-called CSS encryption, meaning they cannot be copied unless decrypting software is used. But even for personal use, using that software is illegal — though Handbrake is free and widely used.

In 2009, because ofthe DMCA, a federal judge blocked RealNetworksfrom distributing DVD-copying software because the Seattle company’s wares employed tools that cracked the encryption on DVD videos.

Other similar software, including the free Handbrake, can be found on the internet, but the operators market those products at their own legal peril.

Video-game consoles are locked down with encryption as well. That’s because their makers want the device to only run their licensed games — making sure that Microsoft and Sony gets a cut on every piece of software that runs on an X-Box or a PlayStation.

If the U.S. Copyright Office grants the Electronic Frontier Foundation’s game-console-moddingrequest, that would put an end to federal prosecutions and civil lawsuits for such conduct. However, the feds could still prosecute those who bundle “mod kits” with pirated games.

Every three years the Copyright Office goes through a DMCA-exemption process and grants exemptions to the law’s ban on breaking encryption designed to protect copyrighted goods. The office is not expected to take action until next year, at a date not yet disclosed.

Last year, the office granted the EFF’s 2009 petition to allow mobile-phone jailbreaking. For an iPhone, that legalized the cracking of encryption protecting the bootloader tied to the iOS operating system.

Apple cried foul prior to the Copyright Office granting the mobile phone exemption, saying the loophole would ruin its business model. Jailbreaking allows phone owners to run any apps on their phone they want, even if they’re neither approved by Apple nor sold in iTunes.

Following Apple’s 2009 claim, however, more than 18 billion apps have been downloaded from Apple. In 2009, there were 1 billion app downloads.

Hollywood and game manufacturers are likely to object to Public Knowledge’s request to sanction DVD copying on grounds it would threaten their business models by letting DVD owners make illegal copies for friends.

The EFF’s petition also asks for an exemption on cracking tablet computers, such as iPads and the Kindle Fire.

Ever since the Copyright Office granted the mobile-phone cracking exemption, the hacking community has been treating tablet hacking as if it was legal. No tablet maker has taken legal action against developers marketing tablet-circumvention tools. But that doesn’t mean it’s actually legal.

This set of proceedings will mark the fifth time the Copyright Office has entertained DMCA petitions. It has granted about a dozen exemptions in all, including one allowing for copying clips from encrypted DVDs for educational and documentary purposes.

Because of a quirk in the 1990 law, the Copyright Office is also being asked by the EFF to re-authorize the mobile-phone jailbreaking exemption it granted last year. That’s because exemptions expire every three years.

Photo: Adam/Flickr

Assange Allowed to Seek Appeal of Extradition to Supreme Court

WikiLeaks founder Julian Assange has been granted the right to ask the United Kingdom’s Supreme Court to overturn an order extraditing him to Sweden, where he’s being investigated on rape charges.

A High Court said on Monday that it felt “constrained” to say that the case raised “a question of general public importance” beyond Assange’s individual circumstances but decided that Assange may proceed to ask the Supreme Court for permission to appeal his extradition ruling, according to the BBC. However, one of the High Court judges asserted that Assange’s chance of succeeding in the Supreme Court was “extraordinarily slim.”

Last February, Assange lost an effort to fight extradition to Sweden, where he faces questioning over sex-crimes allegations. He appealed that decision, but a High Court rejected that appeal last month. An appeal to the Supreme Court is his last chance to fight the extradition.

Assange has not been charged with any crime in Sweden, and used that fact as his primary defense in his earlier appeal to the High Court. Assange’s defense attorneys also asserted that Sweden’s request for his extradition was invalid because the prosecutor was “working for the executive” and was therefore not a proper judicial authority.

Mark Summers, an attorney for Assange, has told the court that, “Public prosecutors should not, in any circumstances, be permitted to issue [European arrest warrant]s.”

The High Court rejected both of those arguments and ordered that Assange must return to Sweden.

Assange then sought permission from the High Court to appeal to the Supreme Court. In order to do so, his attorneys had to show the High Court that his case related to a matter of public importance that went beyond Assange. The High Court refrained from asserting that his case met this criteria, but nonetheless gave him permission to ask the Supreme Court directly to hear his appeal.

Assange has 14 days to submit a written petition to the Supreme Court. If the court refuses to hear his appeal, he has no more avenue for redress and will be extradited to Sweden. If he is granted an appeal hearing, that appeal will likely take place at the Supreme Court around May next year.

Assange is being sought for questioning in Sweden on rape and coercion allegations stemming from sexual relations he had with two women in that country in August 2010. One woman has claimed that Assange pinned her down to have sex with her and intentionally tore a condom he wore. The second woman claims that he had sex with her while she was initially asleep, failing to wear a condom despite repeated requests for him to do so. Assange has disputed their claims.

Assange was arrested in Britain last December, just nine days after WikiLeaks began publishing from its cache of more than 250,000 leaked U.S. State Department diplomatic cables, which were trickling out at a rate of about a hundred a day. Nine days after that, Assange was released from jail on $300,000 bond.

Assange has denied any wrongdoing, asserting that the sex in both cases was consensual.

In the High Court’s rejection of his initial appeal, the judges noted that in the case of the second woman, it is difficult to see how a person could reasonably have believed in consent if the complainant alleges a state of sleep or half-sleep and that given that the woman had insisted on Assange wearing a condom, consent would not have been given without a condom.

Defense attorneys have claimed that Assange would not get a fair trial in Sweden, because rape trials in that country are sometimes held behind closed doors. They have also argued that Assange could somehow find himself extradited to the United States, where, they theorize, he could face execution for leaking secrets.

Assange has been living under house arrest in the large country estate of Vaughan Smith, whom the Guardian newspaper has described as a former army officer, journalist adventurer and right-wing libertarian. Assange has been allowed to remain free on bond, reporting to police every evening in person and honoring a curfew, while he awaited the outcome of his appeal.

Photo: Julian Assange (center) speaks to the media, flanked by his lawyers Mark Stephens (left) and Jennifer Robinson after making a appearance at Belmarsh Magistrates’ Court in London, Jan. 11, 2011. Matt Dunham/AP

Bradley Mannings Defense Attorney Looks to Blame Military for Leaks

The defense team for alleged WikiLeaksleaker Bradley Manning is seeking to show a massive leak of classified diplomatic documents is the military’s own fault since it repeatedly ignored warnings that the former Army intelligence analyst was emotionally unstable, andcontinuedto let him have access to classified networks.

That’s according to a redacted list of potential witnesses (.pdf) that Manning’s defense attorney, David E. Coombs, filed with the court last week and published on his blog over the weekend. The defense hopes to call the witnesses to a pre-trial hearing for Manning later this month, pending approval from the military court.

The documents suggest that the defense’s case will also focus on the military’s lax security at Forward Operating Base Hammer, where Manning was stationed in Iraq beginning late 2009 up until his arrest in May 2010. That lax security allowed soldiers to regularly install unauthorized programs and files on classified systems in order to listen to music and play computer games, according to the defense filing.

Manning is charged with 22 violations of military law for allegedly stealing records and transmitting defense information in violation of the Espionage Act, among other charges, which could get him up to life in prison if he’s convicted. In chat logs, Manning said he leaked the cables because he felt that the world needed to be aware of military activities that he believed were potentially illegal.

The defense’s focus on witnesses who will testify to Manning’s mental health and the military’s lax security is likely an effort to mitigate any punishment Manning will face if convicted.

Among the those who might be called to testify at the hearing is a psychologist who conducted an assessment of Bradley Manning on Dec. 24, 2009, just days after the soldier allegedly first made contact with WikiLeaks. The psychologist would testify, according to the defense, that he concluded at the time that Manning was under a considerable amount of stress and was potentially a danger to himself and others. The psychologist recommended that supervisors take Manning’s weapon from him or remove the bolt to disable the gun.

Although the psychologist had the option to recommend revoking Manning’s access to classified material, he did not do so and is expected to testify that he does not remember why he did not make this recommendation.

The witness list includes:

• psychologists and psychiatrists who evaluated Manning
• fellow soldiers who can testify to his emotional instability and the lax security conditions under which he worked,
• investigators with the FBI and the Army who interviewed witnesses and conducted forensic analysis of computers that Manning used during the time he was based in Iraq, and
• Adrian Lamo, the former hacker who turned Manning into authorities after the soldier allegedly confessed to him that he had stolen thousands of documents from classified networks and leaked them to WikiLeaks.

The list of witnesses also includes President Barack Obama — supposedly included to determine if remarks Obama made about Manning’s guilt represents undue influence on a military court from the commander-in-chief. Secretary of State Hilary Clinton is also being sought to testify to the lack of actual harm caused to national security by the leak of nearly 260,000 U.S. State Department cables.

Coombs notes in his filing that several of the witnesses have refused to be interviewed by him prior to the Article 32 hearing.

The Article 32 hearing, to be held at Fort Meade in Maryland beginning Dec. 16, is expected to last five days. The hearing is a military procedure similar to a grand jury hearing, whereby prosecutors will lay out their evidence before a judge who will determine if the case is sufficiently strong for the young private to be court-martialed. During the hearing, both prosecution and defense are allowed to call witnesses for questioning and cross-examination.

Coombs told CNN in September of 2010 that the Army had removed the bolt from Manning’s weapon due to concerns about his mental health, but details of the evaluation that prompted this were unknown until now.

According to the witness list, a psychologist, whose name is blacked out in the document, conducted a behavioral-health assessment of Manning on Dec. 24, 2009. Manning allegedly said in chat logs — first revealed by Wired.com — that he made contact with WikiLeaks shortly after Thanksgiving in 2009, after the secret-spilling site published 570,000 pager messages from the time of the Sept. 11, 2001 terrorist attacks in the United States.

The psychologist is expected to testify that Manning didn’t appear to have any social support system and seemed hypersensitive to criticism. The psychologist recommended that Manning be moved from the night shift to the day shift and be given lesser duties. He also determined that Manning should be given “low-intensity duty” for the immediate future, in addition to having his weapon disabled.

He or another mental-health expert subsequently treated Manning on numerous occasions between Dec. 30, 2009 and May 26, 2010 and determined that Manning needed long-term psychotherapy. In May 2010, shortly before Manning’s arrest, a psychiatrist determined again that Manning was at risk to himself and others and recommended that he not have an operable weapon. The psychiatrist is expected to testify that on May 22, he considered making a recommendation as to Manning’s access to classified information, but did not do so because Manning had by then already been demoted and moved out of the secure computer room where classified data is accessed.

According to chat logs between Manning and former hacker Adrian Lamo, Manning had been demoted after hitting a fellow soldier in the face and had been re-assigned to work in a supply annex.

The psychiatrist finally recommended on May 28 that Manning’s clearance be revoked, according to the defense filing. By then, however, Manning was already under investigation for leaking information to WikiLeaks, after Lamo reported him to authorities.

The document reveals that some Army witnesses are expected to testify that personnel regularly put unauthorized media on computers, such as programs, games, videos, and music and that it was fairly common to see games, music and movies on the classified Secret Internet Protocol Router Network (SIPRNet).

But at no point were personnel punished for placing unauthorized files on SIPRNet, witnesses are expected to testify. According to an information assurance security officer on the witness list, he tried to complain about the practice, but nothing was done. In one instance he found that a soldier had placed 500 gigabytes of information on his SIPRNet computer, but no action was taken to halt the practice.

The information is relevant to the case because Manning allegedly confessed to Adrian Lamo that he inserted a CD-ROM labeled as Lady Gaga music into his SIPRNet computer and copied thousands of documents from the network on to it, which he subsequently leaked to WikiLeaks. He is also charged with uploading unauthorized programs to the classified network.

The witness list also reveals that Manning only gained access to a database containing the U.S. State Department cables in January 2010 when someone gave him a link to the repository. The military person who sent him the link, and whom Coombs hopes to call as a witness, sent the link to Manning and other intelligence analysts “in order to allow the analysts to better understand the Iraqi political situation.”

A female soldier on the witness list would allegedly testify that it was she who first found the infamous Apache helicopter video on the military network, which WikiLeaks later published under the heading “Collateral Murder.” She called several soldiers over to view the video and that “over the next few days, several of the T-SCIF personnel debated about whether the video showed a camera or a rocket propelled Grenade (RPG) launcher and whether the actions of the Apache crew were appropriate under the circumstances.”

Another soldier would testify about a report that Manning encountered that described some “Iraqis or possibly some Moroccans” who were being arrested at a printing press facility. Manning was “very upset about the issue” after discovering that they may have been arrested for producing pamphlets that questioned whether Iraqi authorities were embezzling public funds.

“He will testify that if there was a moment in which Pfc. Manning may have snapped, this would have been it,” Coombs writes in the document. According to the witness, when Manning tried to call attention to the document, his superiors stonewalled him.

That account iscorroboratedby the chat logs between Manning and Lamo, in which Manning allegedly told Lamo that it was this incident that changed his mind about the military and appeared to be the catalyst for his decision to start leaking information.

“I had always questioned the things worked, and investigated to find the truth but that was a point where i was a *part* of something I was actively involved in something that i was completely against,” he allegedly wrote Lamo.

Adobe Flex update patches flaw in Flex application development framework

Adobe has issued an update to its Flex softwaredevelopment kit (SDK), repairing a vulnerability that could cause developers to createapplications susceptible to cross-sitescripting attacks.

Flex SDK is an open source software development framework used by developers to createapplications that can function on desktops, on smartphones and on tablet devices.  Thevulnerability affects Flex SDK version 4.5.1 and earlier and 3.6 and earlier running on Windows,Macintosh and Linux.

Many applications built with the earlier versions of the Flex SDK are vulnerable to cross-sitescripting attacks, Adobe warned. In its security bulletin issued Wednesday, Adobe said developersshould verify whether any Flash (.swf) files in their applications are vulnerable, and update anyvulnerable .swf files by fixing them or completely rebuilding them using an updated SDK.

The software vendor issued a technicalnote recommending developers repair applications built with Flex or rebuild them afterupgrading to the latest SDK.

To minimize the impact to your Flex projects, Adobe has released numerous different fixedversions of the Flex SDK, enabling you to replace each of your vulnerable versions of the SDK witha fixed version that is nearly identical, aside from the fix itself, Adobe said.

Adobe warned that the security fix could cause issues with applications that use ModuleLoader toload modules from different domains.

~Robert Westervelt

Groups Petition for Right to Hack the Xbox, Backup DVDs

Xbox awaiting 'jailbreaking' modification

The public could be allowed to copy DVDs onto their tablets and unlock video-game consoles to run home-brewed games if regulators side with public interest groups’ new requests to amend federal intellectual-property law.

Every three years, the U.S. Copyright office entertains requests to create temporary loopholes in the law that makes it a crime to circumvent encryption technologies — even in items that you buy. Just last year, the office decreed that it was finally legal to “jailbreak” smart phones so that iPhone users could intall apps that Apple didn’t approve.

This season’s big-ticket requests to amend the Digital Millennium Copyright Act include one from Public Knowledge seeking legalization of technology that lets you copy encrypted movie DVDs. That could give movie fans the ability to watch legally purchased movies on the devices of their choice and make backup copies of children’s movies — which as any parent knows can get scratched beyond playability in no time.

But many movie DVDs are encrypted with so-called CSS encryption, meaning they cannot be copied unless decrypting software is used. But even for personal use, using that software is illegal — though Handbrake is free and widely used.

In 2009, because of the DMCA, a federal judge blocked RealNetworksfrom distributing DVD-copying software because the Seattle company’s wares employed tools that cracked the encryption on DVD videos.

Other similar software, including the free Handbrake, can be found on the internet, but the operators market those products at their own legal peril.

Video-game consoles are locked down with encryption as well. That’s because their makers want the device to only run their licensed games — making sure that Microsoft and Sony gets a cut on every piece of software that runs on an X-Box or a PlayStation.

If the U.S. Copyright Office grants the Electronic Frontier Foundation’s game-console-moddingrequest, that would put an end to federal prosecutions and civil lawsuits for such conduct. However, the feds could still prosecute those who bundle “mod kits” with pirated games.

Every three years the Copyright Office goes through a DMCA-exemption process and grants exemptions to the law’s ban on breaking encryption designed to protect copyrighted goods. The office is not expected to take action until next year, at a date not yet disclosed.

Last year, the office granted the EFF’s 2009 petition to allow mobile-phone jailbreaking. For an iPhone, that legalized the cracking of encryption protecting the bootloader tied to the iOS operating system.

Apple cried foul prior to the Copyright Office granting the mobile phone exemption, saying the loophole would ruin its business model. Jailbreaking allows phone owners to run any apps on their phone they want, even if they’re neither approved by Apple nor sold in iTunes.

Following Apple’s 2009 claim, however, more than 18 billion apps have been downloaded from Apple. In 2009, there were 1 billion app downloads.

Hollywood and game manufacturers are likely to object to Public Knowledge’s request to sanction DVD copying on grounds it would threaten their business models by letting DVD owners make illegal copies for friends.

The EFF’s petition also asks for an exemption on cracking tablet computers, such as iPads and the Kindle Fire.

Ever since the Copyright Office granted the mobile-phone cracking exemption, the hacking community has been treating tablet hacking as if it was legal. No tablet maker has taken legal action against developers marketing tablet-circumvention tools. But that doesn’t mean it’s actually legal.

This set of proceedings will mark the fifth time the Copyright Office has entertained DMCA petitions. It has granted about a dozen exemptions in all, including one allowing for copying clips from encrypted DVDs for educational and documentary purposes.

Because of a quirk in the 1990 law, the Copyright Office is also being asked by the EFF to re-authorize the mobile-phone jailbreaking exemption it granted last year. That’s because exemptions expire every three years.

Photo: Adam/Flickr

Bradley Mannings Defense Attorney Looks to Blame Military for Leaks

The defense team for alleged WikiLeaksleaker Bradley Manning is seeking to show a massive leak of classified diplomatic documents is the military’s own fault since it repeatedly ignored signs that the former Army intelligence analyst was mentally unbalanced and let him have access to classified networks despite numerous warnings about him.

That’s according to a redacted list of potential witnesses (.pdf) that Manning’s defense attorney, David E. Coombs, filed with the court last week and published on his blog over the weekend. The defense hopes to call the witnesses to a pre-trial hearing for Manning later this month, pending approval from the military court.

The defense’s case will also focus on the military’s lax security at Forward Operating Base Hammer, where Manning was stationed in Iraq beginning late 2009 up until his arrest in May 2010. That lax security allowed soldiers to regularly install unauthorized programs and files on classified systems in order to listen to music and play computer games, according to the witness list.

Manning is charged with 22 violations of military law for allegedly stealing records and transmitting defense information in violation of the Espionage Act, among other charges, which could get him up to life in prison if he’s convicted. In chat logs, Manning said he leaked the cables because he felt that the world needed to be aware of military activities that he believed were potentially illegal. The defense’s focus on witnesses who will testify to Manning’s mental health and the military’s lax security is likely an effort to mitigate any punishment Manning will face if convicted.

Among the those who might be called to testify at the hearing is a psychologist who conducted an assessment of Bradley Manning on December 24, 2009, just days after the soldier allegedly first made contact with WikiLeaks. The psychologist would testify, according to the defense, that he concluded at the time that Manning was under a considerable amount of stress and was potentially a danger to himself and others. The psychologist recommended that supervisors take Manning’s weapon from him or remove the bolt to disable the gun.

Although the psychologist had the option to recommend revoking Manning’s access to classified material, he did not do so and is expected to testify that he does not remember why he did not make this recommendation.

The witness list includes:

• psychologists and psychiatrists who evaluated Manning
• fellow soldiers who can testify to his emotional instability and the lax security conditions under which he worked,
• investigators with the FBI and the Army who interviewed witnesses and conducted forensic analysis of computers that Manning used during the time he was based in Iraq, and
• Adrian Lamo, the former hacker who turned Manning into authorities after the soldier allegedly confessed to him that he had stolen thousands of documents from classified networks and leaked them to WikiLeaks.

The list of witnesses also includes President Barack Obama — supposedly included to determine if remarks Obama made about Manning’s guilt represents undue influence on a military court from the commander-in-chief. Secretary of State Hilary Clinton is also being sought to testify to the lack of actual harm caused to national security by the leak of nearly 260,000 U.S. State Department cables.

Coombs notes in his filing that several of the witnesses have refused to be interviewed by him prior to the Article 32 hearing.

The Article 32 hearing, to be held at Fort Meade in Maryland beginning Dec. 16, is expected to last five days. The hearing is a military procedure similar to a grand jury hearing, whereby prosecutors will lay out their evidence before a judge who will determine if the case is sufficiently strong for the young private to be court-martialed. During the hearing, both prosecution and defense are allowed to call witnesses for questioning and cross-examination.

Threat Level reported in September of 2010 that the Army had removed the bolt from Manning’s weapon due to concerns about his mental health, but details of the evaluation that prompted this were unknown until now.

According to the witness list, a psychologist, whose name is blacked out in the document, conducted a behavioral-health assessment of Manning on December 24, 2009. Manning allegedly said in chat logs that he first made contact with WikiLeaks shortly after Thanksgiving in 2009, after the secret-spilling site published 570,000 pager messages from the September 11, 2001 terrorist attacks in the U.S.

The psychologist is expected to testify that Manning didn’t appear to have any social support system and seemed hypersensitive to criticism. The psychologist recommended that Manning be moved from the night shift to the day shift and be given lesser duties. He also determined that Manning should be given “low-intensity duty” for the immediate future, in addition to having his weapon disabled.

He or another mental-health expert subsequently treated Manning on numerous occasions between December 30, 2009 and May 26, 2010 and determined that Manning needed long-term psychotherapy. In May 2010, shortly before Manning’s arrest, a psychiatrist determined again that Manning was at risk to himself and others and recommended that he not have an operable weapon. The psychiatrist is expected to testify that on May 22, he considered making a recommendation as to Manning’s access to classified information, but did not do so because Manning had by then already been demoted and moved out of the secure computer room where classified data is accessed.

According to chat logs between Manning and former hacker Adrian Lamo, Manning had been demoted after hitting a fellow soldier in the face and had been re-assigned to work in a supply annex.

The psychiatrist finally recommended on May 28 that Manning’s clearance be revoked. By then, however, Manning was already under investigation for leaking information to WikiLeaks, after Lamo reported him to authorities.

The document reveals that some Army witnesses are expected to testify that personnel regularly put unauthorized media on computers, such as programs, games, videos, and music and that it was fairly common to see games, music and movies on the classified Secret Internet Protocol Router Network (SIPRNet).

But at no point were personnel punished for placing unauthorized files on SIPRNet, witnesses are expected to testify. According to an information assurance security officer on the witness list, he tried to complain about the practice, but nothing was done. In one instance he found that a soldier had placed 500 Gigabyes of information on his SIPRNet computer, but no action was taken to halt the practice.

The information is relevant to the case because Manning allegedly confessed to Adrian Lamo that he inserted a CD-ROM purportedly containing Lady Gaga music into his SIPRNet computer and copied thousands of documents from the network on to it, which he subsequently leaked to WikiLeaks. He is also charged with uploading unauthorized programs to the classified network.

The witness list also reveals that Manning only gained access to a database containing the U.S. State Department cables in January 2010 when someone gave him a link to the repository. The military person who sent him the link, and who is expected to be called as a witness, sent the link to Manning and other intelligence analysts “in order to allow the analysts to better understand the Iraqi political situation.”

A female soldier is expected to testify that it was she who first found the infamous Apache helicopter video on the military network, which WikiLeaks later published under the heading “Collateral Murder.” She called several soldiers over to view the video and that “over the next few days, several of the T-SCIF personnel debated about whether the video showed a camera or a rocket propelled Grenade (RPG) launcher and whether the actions of the Apache crew were appropriate under the circumstances.”

Another soldier will testify about a report that Manning encountered that descrived some “Iraqis or possibly some Moroccans” who were being arrested at a printing press facility. Manning was “very upset about the issue” after discovering that they may have been arrested for producing pamphlets that questioned whether Iraqi authorities were embezzling public funds.

“He will testify that if there was a moment in which PFC Manning may have snapped, this would have been it,” Coombs writes in the document. According to the witness, when Manning tried to call attention to the document, his superiors stonewalled him.

This would seem to corroborate chat logs between Manning and Lamo, in which Manning allegedly told Lamo that it was this incident that changed his mind about the military and appeared to be the catalyst for his decision to start leaking information.

“i had always questioned the things worked, and investigated to find the truth but that was a point where i was a *part* of something i was actively involved in something that i was completely against,” he allegedly wrote Lamo.

Assange Allowed to Seek Appeal of Extradition to Supreme Court

WikiLeaks founder Julian Assange has been granted the right to ask the United Kingdom’s Supreme Court to overturn an order extraditing him to Sweden, where he’s being investigated on rape charges.

A High Court said on Monday that it felt “constrained” to say that the case raised “a question of general public importance” beyond Assange’s individual circumstances but decided that Assange may proceed to ask the Supreme Court for permission to appeal his extradition ruling, according to the BBC. However, one of the High Court judges asserted that Assange’s chance of succeeding in the Supreme Court was “extraordinarily slim.”

Last February, Assange lost an effort to fight extradition to Sweden, where he faces questioning over sex-crimes allegations. He appealed that decision, but a High Court rejected that appeal last month. An appeal to the Supreme Court is his last chance to fight the extradition.

Assange has not been charged with any crime in Sweden, and used that fact as his primary defense in his earlier appeal to the High Court. Assange’s defense attorneys also asserted that Sweden’s request for his extradition was invalid because the prosecutor was “working for the executive” and was therefore not a proper judicial authority.

Mark Summers, an attorney for Assange, has told the court that, “Public prosecutors should not, in any circumstances, be permitted to issue [European Arrest Warrant]s.”

The High Court rejected both of those arguments and ordered that Assange must return to Sweden.

Assange then sought permission from the High Court to appeal to the Supreme Court. In order to do so, his attorneys had to show the High Court that his case related to a matter of public importance that went beyond Assange. The High Court refrained from asserting that his case met this criteria, but nonetheless gave him permission to ask the Supreme Court directly to hear his appeal.

Assange has 14 days to submit a written petition to the Supreme Court. If the court refuses to hear his appeal, he has no more avenue for redress and will be extradited to Sweden. If he is granted an appeal hearing, that appeal will likely take place at the Supreme Court around May next year.

Assange is being sought for questioning in Sweden on rape and coercion allegations stemming from sexual relations he had with two women in that country in August 2010. One woman has claimed that Assange pinned her down to have sex with her and intentionally tore a condom he wore. The second woman claims that he had sex with her while she was initially asleep, failing to wear a condom despite repeated requests for him to do so. Assange has disputed their claims.

Assange was arrested in Britain last December, just nine days after WikiLeaks began publishing from its cache of more than 250,000 leaked U.S. State Department diplomatic cables, which were trickling out at a rate of about a hundred a day. Nine days after that, Assange was released from jail on $300,000 bond.

Assange has denied any wrongdoing, asserting that the sex in both cases was consensual.

In the High Court’s rejection of his initial appeal, the judges noted that in the case of the second woman, it is difficult to see how a person could reasonably have believed in consent if the complainant alleges a state of sleep or half-sleep and that given that the woman had insisted on Assange wearing a condom, consent would not have been given without a condom.

Defense attorneys have claimed that Assange would not get a fair trial in Sweden, because rape trials in that country are sometimes held behind closed doors. They have also argued that Assange could somehow find himself extradited to the United States, where, they theorize, he could face execution for leaking secrets.

Assange has been living under house arrest in the large country estate of Vaughan Smith, whom Guardian newspaper has described as a former army officer, journalist adventurer and right-wing libertarian. Assange has been allowed to remain free on bond, reporting to police every evening in person and honoring a curfew, while he awaited the outcome of his appeal.

Photo: Julian Assange (center) speaks to the media, flanked by his lawyers Mark Stephens (left) and Jennifer Robinson after making a appearance at Belmarsh Magistrates’ Court in London, Jan. 11, 2011. Matt Dunham/AP

Carrier IQ Admits Holding Treasure Trove of Consumer Data, But No Keystrokes

MOUNTAIN VIEW, California — An embattled phone-monitoring software maker said Friday that its wares, secretly installed on some 150 million phones, have the capacity to log web usage, and to chronicle where and when and to what numbers calls and text messages were sent and received.

The Carrier IQ executives, speaking at their nondescript headquarters in a residential neighborhood in the heart of Silicon Valley, told Wired that the data they vacuum to their servers from handsets is vast — as the software also monitors app deployment, battery life, phone CPU output and data and cell-site connectivity, among other things. But, they said, they are not logging every keystroke as a prominent critic suggested.

The data, which gets downloaded from consumers’ phones roughly once a day, is encrypted during transit and also provided to carriers to enhance the “user experience,” these executives said.

“We do recognize the power and value of this data,” Andrew Coward, the chief marketing officer, said. “We’re very aware that this information is sensitive. It’s a treasure trove.”

Carrier IQ came under intense scrutiny the last few days after a Connecticut-based Android developerposted a YouTube video showing the software has enormous access to usage information, and claiming that it logs a user’s every keystroke. The company was hit with privacy lawsuit on Friday. What’s more, Democratic Senator Al Frankendemanded answers, asking Carrier IQ’s chief executive Larry Lenhart whether Carrier IQ was vacuuming to Carrier IQ’s servers every stroke and communication.

Company executives invited Wired to Carrier IQ offices Friday to debunk the keystroke logging claim. Coward also emphasized that the software does not know the content of websites or apps or text messages or phone calls, but acknowledged that it does transmit website addresses to some carriers as a diagnostic tool.

“We’re seeing URLS and we can capture that information,” Coward said during the two-hour interview.

He said that the information is useful for users who call the phone company complaining, for example, that Facebook won’t load.The carrier’s operator, he said, might tell the complaining customer that the reason it won’t load is because the customer is misspelling “Facebook.”

“They could say, ‘Facebook is spelled F-A-C-E-B-O-O-K,’” he said. “We certainly recognize that as a future thing for advertising, clearly having that information from a marketing perspective is very interesting.”

Since the company is getting the URLs from the phone, they are able to record encrypted search terms such as https://www.google.com/#hl=en&sugexp=ppwe&cp=3&gs_id=p&xhr=t&q=abortion+clinics. By contrast, your carrier, which sits between you and the internet, would normally only see https://www.google.com/ — for encrypted searches.

Not all Carrier IQ’s customer carriers choose to turn on the “record the urls” function, but some do. How much data is sent to each carrier depends on how much they want. Some carriers might want the text-message data, for example, only when certain conditions are met, such as when a text doesn’t go through to the intended recipient.

The company holds onto the data for 10 to 30 days, depending on the carrier.

Coward said he was not aware of any carriers selling the data it collects on their behalf to third-party marketers. He said Carrier IQ “has no rights to the data collected.”

The software runs hidden from users, who generally can’t find it or uninstall it without very sophisticated knowledge or by switching out the operating system by “rooting” their phone and flashing an alternative operating system. While legal, rooting almost always voids a phone’s warranty.

Occupy Catch-22: Boston Cops Throw Out the Kitchen Sink

Boston Police move in swiftly and with heavy force to remove a sink from Occupy Boston

Yes, it has come to this — cops and Occupy protestors at one of the last major encampments in the United States are fighting over a kitchen sink.

Boston police moved in with heavy force on Thursday’s General Assembly meeting in Boston’s Dewey Square to remove a DIY grey-water sink intended to help Occupy Boston members wash their dishes and comply with sanitation requirements that the city says the encampment is violating.

But the Boston cops who surround the Financial camp day and night enforce an embargo on anything durable entering the camp. So after Occupiers gang-rushed the 10-foot-long industrial sink into the camp Thursday night, the cops forced their way into the camp to remove the ‘contraband.’

One officer guarded the sink, while he was surrounded by a cold and frustrated crowd chanting, “Let us do the dishes!”

The protesters, whom the city has claimed are unable to maintain a healthy and safe area for the Occupy, have been frustrated in their attempts to comply with a Boston PD policy that designates everything that isn’t clothing and food as “construction material” and bans it from entering the Occupy.

TheOccupy Boston blog explained on Friday morning:

We are being blocked from replacing our tents with flame-retardant, winterized tents; from adding stability to our fraying walkways; and from protecting the health and safety of our community. Meanwhile, the city, the fire marshal, and the Board of Health testify that we must address these issues. Were still figuring out how to make sense of this.

Protestors linked arms and surrounded the sink to block police from removing it, using the people’s mic to ask the police to cite the law they were enforcing. The officers remained silent — except for calling for backup, which soon appeared in abundance.

Special operations officers marched in and lifted the industrial-sized sink over the heads of seated protesters, then rushed it back out to the street where they loaded it in a police transport vehicle. The sink proved about two feet too long for the truck, and remained so, despite the repeated shoving of several officers.

Protestors, routed at the camp, ran into the street ahead of the police. They regrouped and locked arms in front of the truck as it tried to leave. While two officers guarded the still-dangling sink, other police formed a line arm-to-arm in front of the truck, resulting in a face-off.

Police and protester lines face off in a conflict over a sink, Thursday night.

Eventually, protestors relented and let the truck leave.

One man was arrested for assaulting a police officer, and the camp medics aided a women who reported by that she’d been struck by a police van, and appeared to have a dislocated knee. She was taken from the scene by ambulance.

Boston mayor Thomas Menino gave a visibly agitated interview on the subject to local news Friday morning.

“I’m not going to allow them to put up a kitchen sink in the occupied area of the city of Boston,” Menino said. “It’s beyond their rights. We’ll let them stay there; were not going to have them build a new town there.”

Mayor Menino and the Boston PD continue, for the moment, to “let them stay there” by generously obeying a restraining order issued against them by the Suffolk Superior Court that’s in effect until at least Dec. 15.

This post is part of a special series from Quinn Norton, who is embedding with Occupy protestors and going beyond the headlines with Anonymous for Wired.com. For an introduction to the series, read Quinn’s description of the project.

Photos: Quinn Norton/Wired

Duqu Trojan attackers cleaned their tracks well, analysis finds

Carrier IQ Admits Holding Treasure Trove of Consumer Data, But No Keystrokes

MOUNTAIN VIEW, California — An embattled phone-monitoring software maker said Friday that its wares, secretly installed on some 150 million phones, have the capacity to log web usage, and to chronicle where and when and to what numbers calls and text messages were sent and received.

The Carrier IQ executives, speaking at their nondescript headquarters in a residential neighborhood in the heart of Silicon Valley, told Wired that the data they vacuum to their servers from handsets is vast — as the software also monitors app deployment, battery life, phone CPU output and data and cell-site connectivity, among other things. But, they said, they are not logging every keystroke as a prominent critic suggested.

The data, which gets downloaded from consumers’ phones roughly once a day, is encrypted during transit and also provided to carriers to enhance the “user experience,” these executives said.

“We do recognize the power and value of this data,” Andrew Coward, the chief marketing officer, said. “We’re very aware that this information is sensitive. It’s a treasure trove.”

Carrier IQ came under intense scrutiny the last few days after a Connecticut-based Android developerposted a YouTube video showing the software has enormous access to usage information, and claiming that it logs a user’s every keystroke. The company was hit with privacy lawsuit on Friday. What’s more, Democratic Senator Al Frankendemanded answers, asking Carrier IQ’s chief executive Larry Lenhart whether Carrier IQ was vacuuming to Carrier IQ’s servers every stroke and communication.

Company executives invited Wired to Carrier IQ offices Friday to debunk the keystroke logging claim. Coward also emphasized that the software does not know the content of websites or apps or text messages or phone calls, but acknowledged that it does transmit website addresses to some carriers as a diagnostic tool.

“We’re seeing URLS and we can capture that information,” Coward said during the two-hour interview.

He said that the information is useful for users who call the phone company complaining, for example, that Facebook won’t load.The carrier’s operator, he said, might tell the complaining customer that the reason it won’t load is because the customer is misspelling “Facebook.”

“They could say, ‘Facebook is spelled F-A-C-E-B-O-O-K,’” he said. “We certainly recognize that as a future thing for advertising, clearly having that information from a marketing perspective is very interesting.”

Since the company is getting the URLs from the phone, they are able to record encrypted search terms such as https://www.google.com/#hl=en&sugexp=ppwe&cp=3&gs_id=p&xhr=t&q=abortion+clinics. By contrast, your carrier, which sits between you and the internet, would normally only see https://www.google.com/ — for encrypted searches.

Not all Carrier IQ’s customer carriers choose to turn on the “record the urls” function, but some do. How much data is sent to each carrier depends on how much they want. Some carriers might want the text-message data, for example, only when certain conditions are met, such as when a text doesn’t go through to the intended recipient.

The company holds onto the data for 10 to 30 days, depending on the carrier.

Coward said he was not aware of any carriers selling the data it collects on their behalf to third-party marketers. He said Carrier IQ “has no rights to the data collected.”

The software runs hidden from users, who generally can’t find it or uninstall it without very sophisticated knowledge or by switching out the operating system by “rooting” their phone and flashing an alternative operating system. While legal, rooting almost always voids a phone’s warranty.

Occupy Catch-22: Boston Cops Throw Out the Kitchen Sink

Boston Police move in swiftly and with heavy force to remove a sink from Occupy Boston

Yes, it has come to this — cops and Occupy protestors at one of the last major encampments in the United States are fighting over a kitchen sink.

Boston police moved in with heavy force on Thursday’s General Assembly meeting in Boston’s Dewey Square to remove a DIY grey-water sink intended to help Occupy Boston members wash their dishes and comply with sanitation requirements that the city says the encampment is violating.

But the Boston cops who surround the Financial camp day and night enforce an embargo on anything durable entering the camp. So after Occupiers gang-rushed the 10-foot-long industrial sink into the camp Thursday night, the cops forced their way into the camp to remove the ‘contraband.’

One officer guarded the sink, while he was surrounded by a cold and frustrated crowd chanting, “Let us do the dishes!”

The protesters, whom the city has claimed are unable to maintain a healthy and safe area for the Occupy, have been frustrated in their attempts to comply with a Boston PD policy that designates everything that isn’t clothing and food as “construction material” and bans it from entering the Occupy.

TheOccupy Boston blog explained on Friday morning:

We are being blocked from replacing our tents with flame-retardant, winterized tents; from adding stability to our fraying walkways; and from protecting the health and safety of our community. Meanwhile, the city, the fire marshal, and the Board of Health testify that we must address these issues. Were still figuring out how to make sense of this.

Protestors linked arms and surrounded the sink to block police from removing it, using the people’s mic to ask the police to cite the law they were enforcing. The officers remained silent — except for calling for backup, which soon appeared in abundance.

Special operations officers marched in and lifted the industrial-sized sink over the heads of seated protesters, then rushed it back out to the street where they loaded it in a police transport vehicle. The sink proved about two feet too long for the truck, and remained so, despite the repeated shoving of several officers.

Protestors, routed at the camp, ran into the street ahead of the police. They regrouped and locked arms in front of the truck as it tried to leave. While two officers guarded the still-dangling sink, other police formed a line arm-to-arm in front of the truck, resulting in a face-off.

Police and protester lines face off in a conflict over a sink, Thursday night.

Eventually, protestors relented and let the truck leave.

One man was arrested for assaulting a police officer, and the camp medics aided a women who reported by that she’d been struck by a police van, and appeared to have a dislocated knee. She was taken from the scene by ambulance.

Boston mayor Thomas Menino gave a visibly agitated interview on the subject to local news Friday morning.

“I’m not going to allow them to put up a kitchen sink in the occupied area of the city of Boston,” Menino said. “It’s beyond their rights. We’ll let them stay there; were not going to have them build a new town there.”

Mayor Menino and the Boston PD continue, for the moment, to “let them stay there” by generously obeying a restraining order issued against them by the Suffolk Superior Court that’s in effect until at least Dec. 15.

This post is part of a special series from Quinn Norton, who is embedding with Occupy protestors and going beyond the headlines with Anonymous for Wired.com. For an introduction to the series, read Quinn’s description of the project.

Photos: Quinn Norton/Wired

Duqu Trojan attackers cleaned their tracks well, analysis finds

GCHQ code-breaking challenge cracked by Google search

A simple Google search unlocks the supposedly secret completion page to GCHQ's code-cracking competition.

The signals snooping agency launched a codebreaking competition this week, promoted via social networks, that aimed to find would be code breakers that conventional recruitment efforts might miss. The canyoucrackit.co.uk challenge involved making sense of a 16x10 grid of 8-bit hexadecimal numbers to figure out a password, and then developing a virtual machine to execute code that would lead to the final page.

Puzzle-solvers had 10 days to crack the codes. However instead of solving this puzzle, which was not trivial to conquer, at least if some of the emails we've received are any guide, the completion page could be reached via a simple Google search.

Oops.

"All it takes to find the page is to use the site: command in Google, as the 'Can You Crack It?' webmaster seemingly didn't hide the success page from search engines," Graham Cluley of net security firm Sophos explains.

Given the interest in the competition perhaps it was inevitable that someone would find some sort of side-channel to cheat the challenge, which doesn't mean that the exercise is now not worth participating in especially for those keen on puzzle-solving and base-16 crosswords.

The canyoucrackit.co.uk website was set up in partnership with a recruitment agency and at arm's length from GCHQ itself. El Reg doubts anyone from the intelligence agency was involved in setting up the website, but we are unable to immediately confirm this on Friday afternoon.

Quantum computing comes closer as diamonds get spooky

International boffins are chuffed today to publish cunning research in which they demonstrate quantum entanglement - the "spooky action at a distance" so disliked by Einstein - between a pair of small synthetic diamonds: and, this is the clever bit, at room temperature rather than in a cryogenic chamber or similar, so bringing the long hoped-for quantum computer hardware that bit nearer.

The scientists write:

Entanglement is usually fragile in room-temperature solids, owing to strong interactions both internally and with the noisy environment. We generated motional entanglement between vibrational states of two spatially separated, millimeter-sized diamonds at room temperature. By measuring strong nonclassical correlations between Raman-scattered photons, we showed that the quantum state of the diamonds has positive concurrence with 98% probability. Our results show that entanglement can persist in the classical context of moving macroscopic solids in ambient conditions.

The entanglement was achieved and demonstrated in the two diamonds using a complicated setup of lasers and beam splitters such that a given photon could be in either diamond, so entangling them. Physicists have demonstrated entanglement many times before, but generally have needed to use very cold environments to avoid "noise" corrupting the experiment. It's also unusual to be able to entangle large, physically visible objects like diamond crystal, as opposed to individual atoms or similar.

All this is important to the IT world because entangled objects can function as quantum on-off devices, or "qubits". Qubits aren't just 1 or 0 like regular classical bits: they could contain a whole load of info.

Entangled qubits would theoretically also be the dog's bits, as they might be used to build hard-to-understand yet puissant "quantum computers". Quantum computing has been modelled and theorised, and it's known could it be achieved it would offer some interesting possibilities: not least the breaking of current encryption and, of course, the chance of new and provably unbreakable crypto to replace it.

Doing this sort of thing at normal temperatures with normal-ish objects means that the boffins, led by Ian Walmsley of Oxford uni, get a headline in prestigious boffinry journal Science for their work. Unfortunately it seems that we won't be getting our quantum computers just yet.

"I am not sure where this particular work will go from here," Andrew Cleland, a rival quantum boffin in California, tells rival journal Nature. "I can't think of a particular use for entanglement that lasts for only a few picoseconds."

But Walmsley for his part insists that "diamond could form the basis of a powerful technology for practical quantum information processing".

RIM's BlackBerry PlayBook rooted

The BlackBerry PlayBook tablet has been rooted, just like the Amazon Kindle Fire and other fondleslabs before it, in a development that promises tech enthusiasts the ability to install apps of their choosing, rather than being stuck with those already pre-loaded onto the device.

Gadget enthusiasts have posted a video as evidence that the Research In Motion-manufactured device can be tinkered with in order to run unauthorised applications and control components that users do not normally have access to. Unlike earlier work on tablet-rooting by tech enthusiasts at the XDA Developers forum, the video fails to provide clear instructions on how to root the PlayBook.

The hacker in the video, who uses the nickname Neuralic, boasts that his team has broken RIM's security without explaining the underlying vulnerability he might have used to pull off the trick. However Neuralic says he and two his gadget-hacking colleagues plan to develop and release a tool that will allow consumers to root the device.

In a statement, RIM said it was in the process of investigating the jailbreak claim, Kaspersky Lab's Threatpost blog reports.

"Research In Motion is aware of a claim made on Twitter by security researchers working together that suggests the ability to 'jailbreak' a BlackBerry PlayBook tablet. BlackBerry smartphone users are not affected," the firm said.

"RIM is currently investigating this claim and has been in contact with one of the security researchers to discuss it. If it is determined that the claim is accurate, RIM will follow its standard response process to develop and release a software update that is designed to minimise adverse impact to our customers or carrier partners.

"RIM is aware that the security researchers have stated they intend to release a tool to jailbreak the BlackBerry PlayBook tablet. If such a tool is released, RIM will investigate it," it added.

Yahoo! 0-day! exploit! hijacks! status! updates!

Security researchers have discovered an unpatched flaw in Yahoo! Messenger that allows miscreants to change any user's status message.

Hijacked status updates are a handy way to persuade a victim's contacts to click on a link and lead them to a dangerous website. Worse still, the bug in version 11.x of the Messenger client requires minimal user interaction to work, unlike previous exploits that relied on conning prospective marks.

The attacker sends a supposed file to a target that is actually an iframe that swaps the status message for the attacker's customised text, as explained in a blog post by net security firm BitDefender here. The message might be, and in most attack scenarios would be, sent firm outside a targeted user's contact list.

If successfully executed, a victim will have no indication that his or her status message has been rewritten. The ruse might be used to gain affiliate incomes by promoting dodgy sites as well as directing users towards sites loaded with exploits or scareware scams.

Bitdefender said it has notified Yahoo about the vulnerability. Attacks based on the as yet unfixed flaw have already been detected in the wild, the Romanian security firm warns.

It advises users to change the setting of their IM client to ignore anyone who is not in your Yahoo! Contacts" (which is off by default) as a precaution pending the release of a patch. In addition, some security suites include a web filter function that ought to defend users from this attack.

Carrier IQ VP: App on millions of phones not a privacy risk

HP printer vulnerabilities leave millions of printers susceptible to attack

Although computers and mobile devices seem to be at the top of cybercriminals hacking to-dolists nowadays, researchers from Columbia University are warning of a devastating hack attacktargeting local printers.

Compared to the problem that mobile phones and tablets pose to corporate networks, this is smallpotatoes

Ed Skoudis, senior security consultant, InGuardians

A new study from Columbia Universitys Department of Computer Science claims tens of millions ofHewlett-Packard printers are vulnerable to attack. According to HP, the flaws exist in its LaserJetprinters made before 2009, but researchers claim other brands could possibly harbor thevulnerabilities as well.

Few details have leaked regarding the printerattack research. According to an Internet Storm Center(ISC) blog entry, before installing a firmware update, the printers in question dont checkdigital signatures. The devices Remote Firmware Update feature doesnt require authentication oreven a password for the update to commence, making it easy for hackers to compromise the machines.Long story short, for an embedded system (or any system for that matter) if you can rewrite theoperating system you can control the device and make it do all sorts of unintended things, wroteJohn Bambenek, one of the ISCs blog handlers.

The researchers demonstrated an attacker theoretically could remotely set a printer on fire byoverheating a fuser, penetrating computer networks and erasing code. HP, however, released astatement claiming the charges are sensational and the possibility of the machines catchingfire is false, saying the LaserJet printers contain a thermal breaker is designed to prevent thisfrom happening.

However, the company did admit it has identified a potential security vulnerability but onlyif placed on a public Internet without a firewall.

Organizations shouldnt panic because the technical details havent yet been released, said EdSkoudis, a SANS instructor and a founder and senior security consultant with InGuardians, aWashington, D.C.-based information security consulting firm. Skoudis said enterprises shouldalready be monitoring their printers and ensuring they are not connected to the Internet. Keep the devices patched and set some network filtering to constrain the printer to a limited setof connections, Skoudis said.

Compared to the problem that mobile phones and tablets pose to corporate networks, this issmall potatoes, Skoudis said. This is interesting and unique because of the physical threat posedvia cyber-means, but we need more details before we can assess the risk.

 The Columbia University researchers are also claiming there is no easy way to detect abreach. Best practices are likely sufficient to prevent against this attack, namely, you shouldnever have printers (or any other embedded device for that matter) exposed to the Internet,Bambenek wrote. He added that other than firewalling the device, monitoring traffic to and from themachine for anything other than its print jobs should give users a sign that something isawry.

HP said it is working on a firmware upgrade to mitigate the issue, but in the meantime, usersshould, like Bambenek explained, secure the machines with a firewall and disable remote firmwareupload on exposed printers.

Networkprinters, scanners and copiers have long been identified as a potential attack vector becausethey often store sensitive documents in their print spool. A CBS News report in 2009 highlightedthe problem of digitalimages stored on photocopiers. The news organization pulled hundreds of student names, homeaddresses, cell phone and Social Security numbers stored in the copiers hard drive.

~SearchSecurity.com News Director Robert Westervelt contributed to this report.

 

Adobe Flex update patches flaw in Flex application development framework

Carrier IQ Admits Holding Treasure Trove of Consumer Data, But No Keystrokes

MOUNTAIN VIEW, California — An embattled phone-monitoring software maker said Friday that its wares, secretly installed on some 150 million phones, have the capacity to log web usage, and to chronicle where and when and to what numbers calls and text messages were sent and received.

The Carrier IQ executives, speaking at their nondescript headquarters in a residential neighborhood in the heart of Silicon Valley, told Wired that the data they vacuum to their servers from handsets is vast — as the software also monitors app deployment, battery life, phone CPU output and data and cell-site connectivity, among other things. But, they said, they are not logging every keystroke as a prominent critic suggested.

The data, which gets downloaded from consumers’ phones roughly once a day, is encrypted during transit and also provided to carriers to enhance the “user experience,” these executives said.

“We do recognize the power and value of this data,” Andrew Coward, the chief marketing officer, said. “We’re very aware that this information is sensitive. It’s a treasure trove.”

Carrier IQ came under intense scrutiny the last few days after a Connecticut-based Android developerposted a YouTube video showing the software has enormous access to usage information, and claiming that it logs a user’s every keystroke. The company was hit with privacy lawsuit on Friday. What’s more, Democratic Senator Al Frankendemanded answers, asking Carrier IQ’s chief executive Larry Lenhart whether Carrier IQ was vacuuming to Carrier IQ’s servers every stroke and communication.

Company executives invited Wired to Carrier IQ offices Friday to debunk the keystroke logging claim. Coward also emphasized that the software does not know the content of websites or apps or text messages or phone calls, but acknowledged that it does transmit website addresses to some carriers as a diagnostic tool.

“We’re seeing URLS and we can capture that information,” Coward said during the two-hour interview.

He said that the information is useful for users who call the phone company complaining, for example, that Facebook won’t load.The carrier’s operator, he said, might tell the complaining customer that the reason it won’t load is because the customer is misspelling “Facebook.”

“They could say, ‘Facebook is spelled F-A-C-E-B-O-O-K,’” he said. “We certainly recognize that as a future thing for advertising, clearly having that information from a marketing perspective is very interesting.”

Since the company is getting the URLs from the phone, they are able to record encrypted search terms such as https://www.google.com/#hl=en&sugexp=ppwe&cp=3&gs_id=p&xhr=t&q=abortion+clinics. By contrast, your carrier, which sits between you and the internet, would normally only see https://www.google.com/ — for encrypted searches.

Not all Carrier IQ’s customer carriers choose to turn on the “record the urls” function, but some do. How much data is sent to each carrier depends on how much they want. Some carriers might want the text-message data, for example, only when certain conditions are met, such as when a text doesn’t go through to the intended recipient.

The company holds onto the data for 10 to 30 days, depending on the carrier.

Coward said he was not aware of any carriers selling the data it collects on their behalf to third-party marketers. He said Carrier IQ “has no rights to the data collected.”

The software runs hidden from users, who generally can’t find it or uninstall it without very sophisticated knowledge or by switching out the operating system by “rooting” their phone and flashing an alternative operating system. While legal, rooting almost always voids a phone’s warranty.

Occupy Catch-22: Boston Cops Throw Out the Kitchen Sink

Boston Police move in swiftly and with heavy force to remove a sink from Occupy Boston

Yes, it has come to this — cops and Occupy protestors at one of the last major encampments in the United States are fighting over a kitchen sink.

Boston police moved in with heavy force on Thursday’s General Assembly meeting in Boston’s Dewey Square to remove a DIY grey-water sink intended to help Occupy Boston members wash their dishes and comply with sanitation requirements that the city says the encampment is violating.

But the Boston cops who surround the Financial camp day and night enforce an embargo on anything durable entering the camp. So after Occupiers gang-rushed the 10-foot-long industrial sink into the camp Thursday night, the cops forced their way into the camp to remove the ‘contraband.’

One officer guarded the sink, while he was surrounded by a cold and frustrated crowd chanting, “Let us do the dishes!”

The protesters, whom the city has claimed are unable to maintain a healthy and safe area for the Occupy, have been frustrated in their attempts to comply with a Boston PD policy that designates everything that isn’t clothing and food as “construction material” and bans it from entering the Occupy.

TheOccupy Boston blog explained on Friday morning:

We are being blocked from replacing our tents with flame-retardant, winterized tents; from adding stability to our fraying walkways; and from protecting the health and safety of our community. Meanwhile, the city, the fire marshal, and the Board of Health testify that we must address these issues. Were still figuring out how to make sense of this.

Protestors linked arms and surrounded the sink to block police from removing it, using the people’s mic to ask the police to cite the law they were enforcing. The officers remained silent — except for calling for backup, which soon appeared in abundance.

Special operations officers marched in and lifted the industrial-sized sink over the heads of seated protesters, then rushed it back out to the street where they loaded it in a police transport vehicle. The sink proved about two feet too long for the truck, and remained so, despite the repeated shoving of several officers.

Protestors, routed at the camp, ran into the street ahead of the police. They regrouped and locked arms in front of the truck as it tried to leave. While two officers guarded the still-dangling sink, other police formed a line arm-to-arm in front of the truck, resulting in a face-off.

Police and protester lines face off in a conflict over a sink, Thursday night.

Eventually, protestors relented and let the truck leave.

One man was arrested for assaulting a police officer, and the camp medics aided a women who reported by that she’d been struck by a police van, and appeared to have a dislocated knee. She was taken from the scene by ambulance.

Boston mayor Thomas Menino gave a visibly agitated interview on the subject to local news Friday morning.

“I’m not going to allow them to put up a kitchen sink in the occupied area of the city of Boston,” Menino said. “It’s beyond their rights. We’ll let them stay there; were not going to have them build a new town there.”

Mayor Menino and the Boston PD continue, for the moment, to “let them stay there” by generously obeying a restraining order issued against them by the Suffolk Superior Court that’s in effect until at least Dec. 15.

This post is part of a special series from Quinn Norton, who is embedding with Occupy protestors and going beyond the headlines with Anonymous for Wired.com. For an introduction to the series, read Quinn’s description of the project.

Photos: Quinn Norton/Wired