Monthly Archives: May 2018

U.S. Lawmakers Denounce Purported ZTE Deal

The United States and China have a tentative deal to save embattled Chinese telecom company ZTE, days after the two nations announced a truce in their trade standoff, The Wall Street Journal reported Tuesday. The report sparked an immediate negative reaction on Capitol Hill, where top Republican and Democrat senators denounced it. Details remain to be hammered out, but according to the general outlines of the agreement, Washington would lift a crippling ban on selling US components to the company, which in turn would make major changes in its management, executive board and possibly pay additional fines, according to the report.

The company had faced collapse due to the US ban, which resulted from its violations of US sanctions against Iran and North Korea. Washington and Beijing on Saturday called a halt to a spiraling trade dispute sparked by US accusations of unfair trade practices and the alleged theft of US technology, suspending plans to impose tariffs on as much as £150 billion in Chinese imports. In a series of tweets, top Republican Senator Marco Rubio of Florida, who chairs a key subcommittee on foreign relations, denounced the move, vowing lawmakers would work on "veto-proof legislation" to stop the deal.

"If this is true, then the administration has surrendered to #China on #ZTE," Rubio wrote. "Making changes to their board & a fine won't stop them from spying & stealing from us." Minority Leader Chuck Schumer, Democrat of New York, said the proposed arrangement would "do nothing to protect American national or economic security and are simply a diversion from the fact that we have lost."

- Mnuchin on the Hill - Schumer said in a statement the White House and Treasury Secretary Steven Mnuchin had been duped by China. "President Xi has played President Trump and Secretary Mnuchin."

ZTE was fined £1.2 billion in March 2017 but last month it was prohibited from receiving needed US parts after the Commerce Department found the company had lied multiple times and failed to take actions against employees responsible for sanctions violations on Iran and North Korea. Trump has also faced accusations of quid-pro-quo after pledging to soften sanctions on ZTE just days after AFP reported a Chinese state firm would pour cash into a Trump-tied real estate venture. According to media reports, lawmakers were incensed last week by Trump's offer to rescue the company, which came via Twitter in the midst of the China trade talks.

The president angrily denied back-pedaling. And in testimony before the Senate on Tuesday, Mnuchin said the administration's primary goal was safeguarding US interests and denied and quid pro quo. "The objective was not to put ZTE out of business.

The objective was to make sure they abide by our sanctions programs," said Mnuchin said. "I can assure you anything that they consider will take into account the very important national security issues and those will be addressed." Mnuchin defended the Trump's trade policy, saying he has been "more aggressive than any previous president ever," and is not looking for "short-term gains" but to "create a level playing field and make sure US technology is protected."

The administration's trade actions, together with efforts to reduce business regulation and the recent massive tax cut, already are impacting the economy, Mnuchin said.

He said GDP "could surprise on the upside very significantly" this year with growth of three percent or more.

Many economists see economic growth this year of close to that level, but expect it to slow in 2019 and beyond.

Cloudflare Improves DDoS Mitigation Tool

Cloudflare announced a series of improvements to its Rate Limiting distributed denial of service (DDoS) protection tool this week.

Over the past six months, the company has observed an uptick in application (Layer 7) based DDoS attacks and also noticed that the assaults aren't using huge payloads (volumetric attacks), but rely on a high number of requests per second to exhaust server resources (CPU, Disk and Memory). Attacks with over 1 million requests per second are a common thing, Cloudflare says.

Launched by the web infrastructure company a year ago, the Rate Limiting feature helps customers protect their web applications and APIs from various attacks, including DDoS, credential stuffing and content scraping.

In addition to the previously available Block and Simulate options, the tool now provides customers with Cloudflare JavaScript Challenge and Google reCaptcha (Challenge) mitigation actions available in the UI and API. Additionally, the company claims to have made Rate Limiting more dynamically scalable.

"A new feature has been added which allows Rate Limiting to count on Origin Response Headers for Business and Enterprise customers.

The way this feature works is by matching attributes which are returned by the Origin to Cloudflare," the web protection company notes.

For the credential stuffing protection, for example, Cloudflare customers can set a single rule (a Basic rate limit) or multiple rules (Advanced limits) to prevent abuse, depending on their needs. This ensures that only users (which typically enter a wrong password three times before hitting the recovery option) log in, and not bots (which go through thousands of credential combinations to see what works).

"With this type of tiering, any genuine users that are just having a hard time remembering their login details whilst also being extremely fast typers will not be fully blocked. Instead, they will first be given out automated JavaScript challenge followed by a traditional CAPTCHA if they hit the next limit.

This is a much more user-friendly approach while still securing your login endpoints," Cloudflare points out.

Cloudflare's tool also includes a new origin headers feature that allows customers to configure their origin to respond with a header to trigger a rate-limit. A header is generated at the origin, and added to the response to Cloudflare.

"As we are matching on a static header, we can set a severity level based on the content of the Header. For example, if it was a repeat offender, you could respond with High as the Header value, which could Block for a longer period," Cloudflare explains.

Rate Limiting can also protect from the increasingly popular enumeration attacks, the company says.

Such assaults rely in identifying an expensive operation in an app and then overload it to exhaust resources and slow or crash the app.

To fend off such attacks, one can set a rate limit for the 404 (page not found) response a query sent to the app receives when the user is not found. Thus, if the threshold of 404's is crossed in a given period of time, the app can be set to challenge the user to prove they are a real person.

To mitigate content scrapping, Rate Limiting includes support for rules to distinguish between users who browse heavily and bot attempts to copy content for redistribution or reuse. The tool counts the number of requests to each endpoint and the number of hits to the image store, as well as the number of served 404 and 403 pages.

Cloudflare also decided to increase the number of available rules for Pro and Business customers, for no additional charge.

Thus, Pro plans now include 10 rules, while Business plans include 15 rules.

Related: Cloudflare Launches Free Secure DNS Service

Related: Cloudflare Launches Remote Access to Replace Corporate VPNs

Activists Urge Amazon to Drop Facial Recognition for Police

More than 30 activist groups led by the American Civil Liberties Union urged Amazon Tuesday to stop providing facial recognition technology to law enforcement, warning that it could give authorities "dangerous surveillance powers." The organizations sent a letter to Amazon after an ACLU investigation found Amazon had been working with a number of US law enforcement agencies to deploy its artificial intelligence-powered Rekognition service. "Rekognition marketing materials read like a user manual for authoritarian surveillance," said Nicole Ozer of the ACLU of California.

"Once a dangerous surveillance system like this is turned against the public, the harm can't be undone." A letter to Amazon chief Jeff Bezos was signed by groups including the Electronic Frontier Foundation, Black Lives Matter, Freedom of the Press Foundation and Human Rights Watch. "Amazon Rekognition is primed for abuse in the hands of governments," the letter said.

"This product poses a grave threat to communities, including people of color and immigrants, and to the trust and respect Amazon has worked to build." Amazon is one of many companies in the US and elsewhere which deploy facial recognition for security and law enforcement. Some research has indicated that such programs can be error-prone, particularly when identifying people of color, and activists argue these systems can build up large databases of biometric information which can be subject to abuse.

In China, authorities have created a digital surveillance system able to use a variety of biometric data -- from photos and iris scans to fingerprints -- to keep close tabs on the movements of the entire population, and uses it to publicly identify lawbreakers and jaywalkers. The ACLU released documents showing correspondence with police departments in Florida, Arizona and other states on Rekognition, which is a service of Amazon Web Services. The US activist groups say a large deployment by Amazon, which is one of the leaders in artificial intelligence, could lead to broad surveillance of the US population.

"People should be free to walk down the street without being watched by the government," the letter said. "Facial recognition in American communities threatens this freedom. In overpoliced communities of color, it could effectively eliminate it.

The federal government could use this facial recognition technology to continuously track immigrants as they embark on new lives." Amazon did not immediately respond to an AFP request for comment on the letter. Related: New iPhone Brings Face Recognition (and Fears) to the Masses

Related: Huge US Facial Recognition Database Flawed: Audit

Related: The Impending Facial Recognition Singularity