When we released our CIA: Collect It All card game based on a declassified CIA training card game, we had included a fun little Easter egg in there, with help from Jon Callas, who helped create modern day encryption. So far, I believe a grand total of... two people have found it, solved it, and told me about it (though it's possible many more have done so). That was neat, but we had nothing to give them beyond the satisfaction of having solved the puzzle. It seems that others have gone much, much farther with this idea.

Five years ago, Tarah Wheeler put together a big Kickstarter for the book Women in Tech, with advice/ideas/thoughts/stories from a variety of successful women in the tech field.

Five years after publishing that book, Wheeler has now revealed that she flooded the book with hidden puzzles, and while releasing the book itself was a massively difficult project, the fact that a bunch of people found and worked on the puzzles was part of what made it all worth it:

I hated this fucking book. I hated it while I was writing it. I didn’t think that would happen. But I did....

And yet...

There was a secret in that book. It’s a secret that I’ve kept for half a decade, and while I’ve loved the wonderful messages and notes of support from people who’ve benefitted from this work, the puzzles I hid in it are the only unmitigated, unsoured, pure joy I’ve experienced in creating this Frankenstein’s Creature of a book.

I filled it with puzzles. I plastered it with puzzles. I was filled with anticipation at the thought that someday, people would see it.

Then some people noticed the codes and puzzles. A few people tried to solve them. Teams formed on Reddit and Twitter and Discord. And one small crew of four people finally journeyed to the end of the epic. And that’s how they won the secret buried treasure of pounds of precious silver.

The link above has some examples of the hidden puzzles, but here's just one:

Tarah then worked with Jon Callas (a familiar name!) to create amazing cipher wheels out of silver. You can see the wheels demonstrated in a video that Tarah put up recently:

Even better, she put up details on how to make your own cipher wheels, including 3D printing files to make your own as well at Github. This is a very cool project that, along with everything else that's fun about it, is a neat way to demonstrate how encryption works and why it's so important.

Earlier today we wrote about how Ajit Pai was pushing ahead with the Commerce Department's silly FCC petition regarding a re-interpretation of Section 230 of the Communications Decency Act. We noted that it wouldn't actually be that hard to just say that the whole thing is unconstitutional and outside of the FCC's authority (which it is). Some people have pushed back on us saying that if Pai didn't do this, Trump would fire him and promote some Trump stan to push through whatever unconstitutional nonsense is wanted.

Well, now at least there's some evidence to suggest that Trump also views the FCC -- a supposedly "independent" agency -- as his personal speech police. Of the Republican Commissioners, Brendan Carr has been quite vocal in his Trump boot-licking, especially with regards to Section 230. He's been almost gleeful in his pronouncements about how evil "big tech" is for "censoring conservatives," and how much he wants to chip away at Section 230. Pai has been pretty much silent on the issue until the announcement today. But the other Republican Commissioner, Mike O'Rielly, has at least suggested that he recognizes the Trump executive order is garbage. Six weeks ago he said he hadn't done his homework yet, but suggested he didn't think Congress had given the FCC any authority on this matter (he's right).

Just last week, during a speech, he made it pretty clear where he stood on this issue. While first saying he wasn't necessarily referencing the Trump executive order, he said the following:

Today, I would like to address a particularly ominous development in this space. To be clear, the following critique is not in any way directed toward President Trump or those in the White House, who are fully within their rights to call for the review of any federal statute's application, the result of which would be subject to applicable statutory and constitutional guardrails. Rather, I am very troubled by certain opportunists elsewhere who claim to be the First Amendment’s biggest heroes but only come to its defense when convenient and constantly shift its meaning to fit their current political objectives. The inconsistencies and contradictions presented by such false prophets would make James Madison’s head spin, were he alive to witness them.

The First Amendment protects us from limits on speech imposed by the government—not private actors—and we should all reject demands, in the name of the First Amendment, for private actors to curate or publish speech in a certain way. Like it or not, the First Amendment’s protections apply to corporate entities, especially when they engage in editorial decision making. I shudder to think of a day in which the Fairness Doctrine could be reincarnated for the Internet, especially at the ironic behest of so-called free speech “defenders.” It is time to stop allowing purveyors of First Amendment gibberish to claim they support more speech, when their actions make clear that they would actually curtail it through government action. These individuals demean and denigrate the values of our Constitution and must be held accountable for their doublespeak and dishonesty. This institution and its members have long been unwavering in defending the First Amendment, and it is the duty of each of us to continue to uphold this precious protection.

To be clear: I agree 100% with that statement, and am glad that O'Rielly was willing to stand up on principle to defend it.

And then, today, it was announced that the White House is pulling his renomination to the FCC. In other words, the White House is being a petty asshole, again, and firing anyone for not being in lockstep with the President's ridiculous unconstitutional whims.

There was some talk last week about how Senator James Inhofe's office was blocking O'Rielly's renomination over a different issue: the approval of L-Band spectrum for use by Ligado (formerly LightSquared). A variety of government organizations had opposed the use of this spectrum, fearing that it might interfere with GPS systems. However, the Ligado deal was unanimously approved by all five commissioners, so it's difficult to see why O'Rielly would be singled out, other than his nomination was up. The Inhofe/Ligado thing feels like a smokescreen for the 230 issue.

The question now is whether or not O'Rielly will serve out his term, or if he'll leave now that his renomination is not being considered. One hopes that he'll at least stick it out long enough to vote down the Petition on 230. Even if he did leave, it's unclear if a new Commissioner would get through any confirmation process prior to the election. Either way, at least it's nice to see one Republican Commissioner willing to stand up to Trump. We've criticized O'Rielly plenty of times in the past, but at least he's not taking the path of Carr (and even Pai) in dealing with this nonsense.

The more the DHS inserts itself into the ongoing civil unrest, the more unrestful it gets. President Trump sent his federal forces to Portland, Oregon -- the first of many "democrat" cities the president feels are too violent/unrestful -- to protect federal buildings from violent graffiti outbursts or whatever. When the DHS arrived -- represented by the CBP, ICE, US Marshals, and other federal law enforcement -- it announced its arrival with secret police tactics straight out of the Gestapo playbook.

Since that wasn't martial state enough, the federal officers turned things up, opening fire on journalists and legal observers. Literally. Local journalists were tear gassed, hit with pepper spray/pepper balls, and shot with "non-lethal" projectiles. The journalists and observers sued the federal government, securing a restraining order forbidding federal officers from continuing to violate the Constitution. Federal officers refused to stop (their) rioting and now may face sanctions for their actions. They will definitely be facing additional lawsuits since the restraining order made it clear willful violators would not be granted qualified immunity.

As if all of this wasn't enough, news leaked out that DHS was compiling "intelligence reports" on local journalists, as well as journalists located elsewhere in the nation who had published leaked DHS documents. One day after breaking the news about the journalist-targeting "intelligence reports," the Washington Post broke more news -- again with the aid of a leaked DHS document. This one shows the DHS is (still) on the wrong side of the First Amendment. It also appears to show the agency lying to its oversight.

A senior Department of Homeland Security official told a Senate committee earlier this month that the department had not collected, exploited or analyzed information from the electronic devices or accounts of protesters in Portland, Ore.

But an internal DHS document obtained by The Washington Post shows the department did have access to protesters’ electronic messages and that their conversations were written up in an “intelligence report” that was disseminated to federal law enforcement agencies, including the FBI, as well as state and local governments.

This news broke on July 31. On July 23, acting DHS undersecretary Brian Murphy told the Senate Intelligence Committee the agency's Intelligence and Analysis division had "neither collected nor exploited or analyzed information" obtained from "accounts" belonging to protesters or detainees.

Murphy had to have known his statements to the Intelligence Committee were false.

A DHS Open Source Intelligence Report dated six days before Murphy’s briefing to the committee shows that the I & A office analyzed messages that protesters exchanged on the Telegram messaging app. They discussed which routes to take during marches and how to avoid the police.

The messages quoted in the so-called "Open Source" report don't detail any planned wrongdoing. (Also: Telegram's encrypted messaging system cannot honestly be called "open source." It's not like viewing public accounts on social media, which is what "open source" usually means in this context.) Instead, the "analyzed" messages show protesters pointing out the obvious to each other. Walking towards or through residential neighborhoods draws less federal law enforcement attention. This makes sense because the feds are only there to defend the federal buildings located in downtown Portland. They're not in Portland to conduct normal law enforcement work Here's a representative quote:

“Seems they’re less inclined to go into residential neighborhoods which makes sense.”

And here's how those communications -- possibly obtained from an informant or undercover officer with access to the Telegram group -- were portrayed by DHS I&A.

[d]iscussing [...] TTPs [tactics, techniques and procedures] to evade law enforcement when being pursued…

The DHS has no business infiltrating groups participating in protected speech, just like it has no business compiling dossiers on journalists. Whatever pressure it may be feeling from an administration seemingly hellbent on portraying organic anti-police protests as organized antifa riots doesn't excuse these actions. The DHS may want to please its boss by bringing him some evidence of paid protesting, but it can't just ignore the Constitution until agents find what they're looking for.

We've mentioned at great length how Trump's executive order to more heavily "regulate" social media is an unworkable joke. It attempts to tackle a problem that doesn't exist ("Conservative censorship") by attacking a law that actually protects free speech (Section 230), all to be enforced by agencies (like the FCC) that don't actually have the authority to do anything of the sort. You can't overrule the law by executive order or regulatory fiat, nor can you ignore the Constitution. The EO is a dumb joke by folks who don't understand how any of this works, and it should be treated as such.

Instead, most press coverage of the move is still somehow framed as "very serious adult policy," despite being little more than a glorified brain fart.

The FCC also knows the order is unworkable garbage that flies directly in the face of years of espoused (government hands off) ideology by Ajit Pai, Brendan Carr and friends. And yet, terrified of upsetting dear leader, Pai issued a totally feckless statement on Monday stating the EO would be pushed through the rule-making process, pretending as if this was all just ordinary, sensible tech policy:

This is, you'll recall, the same guy who spent the last eight years insisting that fairly modest consumer protections governing telecom monopolies (net neutrality, privacy) was a vile example of "government run amok." It's the same guy whose entire policy platform revolves around the idea that hands off, limited government oversight universally results in near-mystical outcomes. The order to have the FCC regulate social media giants runs in stark contrast to nearly everything Pai professes to believe, including his adoration of free speech (since eliminating 230 would all but guarantee less of it). And yet he's completely unwilling to make so much as a cautiously critical peep.

Even if Pai's worried that he'll just be replaced by Carr (whose somehow even worse about intellectual consistency) for showing the slightest shred of backbone, there are ways that Pai could express his disdain for this order without upsetting King Donald (perhaps just use big words). But Pai does nothing of the sort. He's completely selling out everything he believes in to make Donald happy. Not only that, he attempts to frame the idea that we should shut down an idiotic assault on free speech before wasting everybody's time as itself an attack on free speech.

As a result we're wasting agency time and taxpayer resources (during a pandemic no less when 42 million Americans lack broadband, something actually under FCC authority) to pursue an inherently dumb and dangerous idea.

Now we move on to the next step in pretending this is real policy: opening the FCC comment system to 45 day of public comments. Except as we saw with the net neutrality repeal (in which the telecom industry used fake and dead people to support terrible and unpopular policy), the FCC doesn't actually do much to prevent fraud or abuse. So anybody eager to see Silicon Valley saddled with additional regulatory oversight (like its ad competitors in telecom or K Street political operatives) are going to stuff the ballot box with nonsense, taking us further down the rabbit hole of pretending Trump's EO is serious adult policy making.

In short we've got a garbage, unworkable proposal being shuffled through elaborate NTIA and FCC policy making system at taxpayer expense during a crisis, all "supported" by people too afraid of Donald Trump to show even the faintest hint of consistency or backbone. In other words, just another ordinary Monday in Washington.

Early in 2019, we wrote about stream-ripping site FLVTO.biz winning in court against the record labels on jurisdictional grounds. The site, which is Russian and has no presence in the United States, argued that the courts had no jurisdiction. The RIAA labels argued against that, essentially claiming that because Americans could get to the site it therefore constituted some kind of commercial contract, even though no actual contract existed. Instead, the site merely makes money by displaying advertisements. The court very much agreed and dismissed the case.

On appeal in May, however, the case was sent back to the lower court.

The labels then took their case to the Fourth Circuit appeals court back in May, where judges concluded that the district court judge was wrong to quickly dismiss the lawsuit on those jurisdiction grounds. The appeal judges listed various reasons why it could be deemed that FLVTO.biz and 2conv.com were actively trading in the US – and specifically Virginia – even though the websites are formally based in Russia and don’t require any sign-up from users.

The technical interaction that occurred between Kurbanov’s servers and the computers of his site’s American users constituted a “commercial relationship”; he’d had business dealings with US-based advertisers and server companies and registered a ‘DMCA agent’ with the US Copyright Office; plus he could but didn’t seek to geo-block Americans from using FLVTO.biz and 2conv.com.

It should be immediately clear how dangerous this is for a healthy international internet to exist. The idea that a website, whatever its purpose, could find itself in the jurisdiction of any nation just because that nation's population can reach that website is absurd. Should Wikipedia be in the jurisdiction of Saudi Arabia just because it doesn't geoblock that country? Should Cosmo Magazine's site be subject to the laws of Mexico if its people can get to the site?

No, that's absurd. Were that the standard, it would be a legal quagmire for any site to operate unless it geoblocked every country where it doesn't have a direct presence. And that, it should be obvious, would be the end of a free and open international internet. Which is why FLVTO's lawyers want this to go to the Supreme Court.

Speaking to Torrentfreak, one of those lawyers, Evan Fray-Witzer, said the Fourth Circuit’s ruling set a dangerous precedent that could have a big impact on all foreign website operators. This makes it important enough for Supreme Court consideration, he added.

“The Supreme Court has not yet decided a case concerning personal jurisdiction based on internet contacts and we think this case would be a good opportunity for the court to address the issue head-on”, he continued.

And so we wait, I suppose, to see if SCOTUS would kindly like to un-break the internet.

The Accredited Agile Project Management Bundle by SPOCE is designed to equip users with the know-how they need to master Agile project management, PRINCE2 Project Management, and PRINCE2 Agile Project Management. You'll learn the skills needed for managing and delivering successful projects. You'll also gain an understanding of risk management, planning, handling change, and more. It's on sale for $99.

Note: The Techdirt Deals Store is powered and curated by StackCommerce. A portion of all sales from Techdirt Deals helps support Techdirt. The products featured do not reflect endorsements by our editorial team.

As Mike reported last week, the DOJ rounded up three alleged participants in the massive Twitter hack that saw dozens of verified accounts start tweeting out promises to double the bitcoin holdings of anyone who sent bitcoin to a certain account.

Three people were arrested. The ringleader appears to be a 17-year-old Tampa, Florida resident. The other two suspects are a 22-year-old Florida man and a 19-year-old from the UK. The hack was achieved through social engineering, giving the suspects access to an internal dashboard used by Twitter employees. This gave them access to multiple accounts, as well as all any direct messages sent to and from those accounts. That it was all just a bitcoin scam is somewhat of a relief, although not so much for victims who were duped out of nearly $100,000 via 400 transactions.

A rather interesting aspect of the investigation was pointed out by CNET reporter Alfred Ng. There are plenty of places investigators can go to obtain evidence stored on websites. But they don't always need a subpoena or warrant. Sometimes the information is already out in the open, having been harvested by malicious hackers and shared online. No paperwork needed.

If you can't read/see the tweet, it says:

wow, the FBI used a stolen database of OGUsers from April to identify one of the people allegedly involved in the Twitter hack

The information is contained in the criminal complaint [PDF] against 19-year-old UK resident Mason John Sheppard, a.k.a. "Chaewon." Ironically, a forum used by social media account hackers was itself hacked, resulting in a stash of info investigators were able to access without having to approach the site directly. From the complaint:

On April 2, 2020, the administrator of the OGUsers forum publicly announced that OGUsers website was successfully hacked. Shortly after the announcement, a rival criminal hacking forum publicly released a link to download the OGUsers forum database, claiming it contained all of the forum’s user information. The publicly released database has been available on various websites since approximately April 2020. On or about April 9, 2020, the FBI obtained a copy of this database. The FBI found that the database included all public forum postings, private messages between users, IP addresses, email addresses, and additional user information. Also included for each user was a list of the IP addresses that user used to log into the service along with a corresponding date and timestamp.

I reviewed records and communications that are part of this publicly-released database. I also found that on February 4, 2020, Chaewon exchanged private messages on OGUsers with another user of the forum during which Chaewon made a purchase of a video game username and was instructed to send bitcoin to address 188ZsdVPv9Rkdiqn4V4V1w6FDQVk7pDf4 (hereinafter, “the Chaewon purchase address”).

From there, the FBI was able to track bitcoin transactions, locate Sheppard's email address, and use that additional information to obtain information from virtual currency exchanges, Binance and Coinbase. With all of this information, the FBI was able to connect "Chaewon" and other usernames to Mason Sheppard to locate him and charge him with assisting in the hacking and bitcoin scam.

No warrants were needed. The info from the forum hack was already in the public domain. Bitcoin transactions are considered financial records, standing outside of the Fourth Amendment's protections. Even if it would possibly be more prudent to directly approach websites with subpoenas or warrants to obtain records, it appears to be far easier to just access data obtained from malicious hacking. And there are companies out there compiling information from data breaches and malicious hackings and selling access to law enforcement agencies who feel judges and additional paperwork will just slow them down.

Is there anything the DHS can't turn into a debacle while pretending to secure the homeland? It would appear it's impossible for America's least essential security agency to move forward without stepping in something.

As protests in Portland neared the 60-day mark, the DHS was tasked with protecting federal property like courthouses and… um… statues. ICE, CBP, Federal Protective Services, and US Marshals all arrived in Portland ready to go to war with people exercising their First Amendment rights. You only have one chance to make a first impression, and the unidentified officers from unknown agencies throwing protesters into unmarked vehicles was one hell of a first impression.

The federal agencies went to war, firing tear gas and projectiles at protesters, rioters, journalists, and legal observers. It made no difference to the DHS which was which. But it did make a difference to a federal judge, who issued a temporary restraining order forbidding federal officers from attacking, gassing, assaulting, or arresting journalists and observers who were just trying to do their jobs.

The federal officers immediately violated the restraining order. Or, more accurately, they never stopped doing the stuff that earned them the restraining order in the first place. Apparently, the DHS feels it hasn't violated First Amendment rights hard enough. The latest black eye for the DHS is more targeting of journalists, this time with surveillance.

The Department of Homeland Security has compiled “intelligence reports” about the work of American journalists covering protests in Portland, Ore., in what current and former officials called an alarming use of a government system meant to share information about suspected terrorists and violent actors.

Over the past week, the department’s Office of Intelligence and Analysis has disseminated three Open Source Intelligence Reports to federal law enforcement agencies and others, summarizing tweets written by two journalists — a reporter for the New York Times and the editor in chief of the blog Lawfare — and noting they had published leaked, unclassified documents about DHS operations in Portland. The intelligence reports, obtained by The Washington Post, include written descriptions and images of the tweets and the number of times they had been liked or retweeted by others.

Ironically, one of the leaks involved discussions of other leaks. An internal memo leaked to Benjamin Wittes, who runs the Lawfare blog, complains about earlier leaks.

Here's an excerpt from the leaked memo about leaked memos.

[T]he ongoing leaks related to our work in Portland remain of great to concern as it distracts from our mission and creates opportunities for others to exploit this information for their own benefit. This is wrong and we must make every effort to protect our information and prevent our work from being manipulated in any way.

Not sure what this official thinks journalists are "exploiting" and "manipulating." One of the leaked documents published by Lawfare gave DHS components permission to engage in domestic surveillance on behalf of statues and monuments. There doesn't appear to be any spin here.

It appears the DHS will stop doing this thing it supposedly only just started doing just this one time, allegedly without the knowledge of the guy acting like he's running the place. An angry statement was issued after the [acting] boss was just right now informed about these things.

“Upon learning about the practice, Acting Secretary Wolf directed the DHS Intelligence & Analysis Directorate to immediately discontinue collecting information involving members of the press,” a department spokesman said in a statement. “In no way does the Acting Secretary condone this practice and he has immediately ordered an inquiry into the matter. The Acting Secretary is committed to ensuring that all DHS personnel uphold the principles of professionalism, impartiality and respect for civil rights and civil liberties, particularly as it relates to the exercise of First Amendment rights.”

But see the ongoing violations of the restraining order that was supposed to force federal officers to "uphold the principles of professionalism" and "respect civil rights and liberties." See also the DHS's arguments in court, where it claimed protecting the government's stuff was more important than protecting citizens' rights.

The Federal Defendants intend to keep dispersing journalists and legal observers. See ECF 67 at 20 (arguing that allowing journalists and legal observers to remain "is not a practicable option"). The actions by the federal agents described by Plaintiffs are part of a pattern of officially sanctioned conduct. The Federal Defendants argue that such conduct is necessary to protect federal property.

This is why I'm not falling for Acting Director Chad Wolf's "I'm shocked, SHOCKED to discover there is disrespect for civil liberties in my agency" shtick. That and all the other times the federal government -- including agencies under the DHS's roof -- have engaged in domestic surveillance targeting journalists. And it wasn't just open source intel gathered from publicly available sites. It was also journalists' communications.

A senior Department of Homeland Security official told a Senate committee earlier this month that the department had not collected, exploited or analyzed information from the electronic devices or accounts of protesters in Portland, Ore.

But an internal DHS document obtained by The Washington Post shows the department did have access to protesters’ electronic messages and that their conversations were written up in an “intelligence report” that was disseminated to federal law enforcement agencies, including the FBI, as well as state and local governments.

This all looks very bad. But under this administration, harming journalists and/or curtailing their rights is probably fine. The President thinks most of them are "fake news" purveyors. Trump also believes most protesters are anarchists and "antifa." The DHS is under considerable pressure to make the Commander-in-Chief's conspiratorial dreams come true.

Officials who are familiar with the reports, and who spoke on the condition of anonymity to candidly discuss them, said they are consistent with the department’s aggressive tactics in Portland, and in particular the work of the Intelligence and Analysis Office, which they worried is exceeding the boundaries of its authority in an effort to crack down on “antifa” protesters to please President Trump.

All of this is troubling. If it's leak investigations, the DHS needs to keep that in-house and stop violating the Constitution. If the agency is fishing for (nonexistent) evidence of anarchists embedded in local newspapers, it's even more problematic.

The DHS was asked to rein in protests in Portland -- something the President blames on the city and state's "liberal" leadership. The DHS has failed to do anything but make itself -- and everyone involved with its response -- look worse. And every new move it makes only causes more reputational damage. The DHS needs to leave Portland before it hurts itself again.