Businesses often send one-time passwords, account alerts and appointment confirmations via text. But if you've ever received one of those, you know they tend to come from a random number, and bad actors can take advantage of that by disguising phishing scams as one of those messages. To protect users, Google will soon verify SMS messages from registered businesses. From a report: When you receive a message from a verified business, you'll see the company name, logo and a verification badge in the message thread. Businesses must sign up to use Verified SMS, and so far, 1-800-Flowers, Banco Bradesco, Kayak, Payback and SoFi are on-board. Verified SMS is rolling out gradually in the US, Brazil, Canada, France, India, Mexico, Philippines, Spain and the UK. Google is also adding real-time spam detection. When Google suspects a message is phishy or garbage, it will show a spam warning in Messages.

An anonymous reader quotes a report from Ars Technica: An email sent by the Florida Department of Law Enforcement to all Florida county commissioners indicated that the ransomware that struck the city of Pensacola on December 7 was the same malware used in an attack against the private security firm Allied Universal, according to a report by the Pensacola News Journal. That malware has been identified elsewhere as Maze, a form of ransomware that has also been distributed via spam email campaigns in Italy.

Bleeping Computer's Lawrence Abrams reported in November that the Maze operators had contacted him after the Allied Universal attack, claiming to have stolen files from the company before encrypting them on the victims' computers. After Allied apparently missed the deadline for payment of the ransom on the files, the ransomware operators published 700 megabytes of files from Allied and demanded 300 Bitcoins (approximately $2.3 million) to decrypt the network. The Maze operators told Abrams that they always steal victims' files to use as further leverage to get them to pay: "It is just a logic. If we disclose it who will believe us? It is not in our interest, it will be silly to disclose as we gain nothing from it. We also delete data because it is not really interesting. We are neither espionage group nor any other type of APT, the data is not interesting for us." "The use of the data to blackmail the victim, and in Allied's case, the threat to use Allied's certificates and domain name to spam customers with additional ransomware attacks, is something new," writes Sean Gallagher.

"This is the first time this has ever happened, as far as we know," said Brett Callow, a spokesperson for the antivirus software vendor Emisoft. "Ransomware groups usually encrypt, not steal. We expect data exfiltration to become more and more commonplace. Whether Pensacola's data was exfiltrated, I obviously can't say."

The nonprofit Open Source Technology Improvement Fund connects open-source security projects with funding and logistical support. (Launched in 2015, the Illinois-based group includes on its advisory council representatives from DuckDuckGo and the OpenVPN Project.)

To raise more money, they're now planning to offer "hacker-themed swag" and apparel created with a state-of-the art direct-to-garment printer -- and they're using Kickstarter to help pay for that printer: With the equipment fully paid for, we will add a crucial revenue stream to our project so that we can get more of our crucial work funded. OSTIF is kicking-in half of the funding for the new equipment from our own donated funds from previous projects, and we are raising the other half through this KickStarter. We have carefully selected commercial-grade equipment, high quality materials, and gathered volunteers to work on the production of the shirts and wallets.
Pledges of $15 or more will be rewarded with an RFID-blocking wallet that blocks "drive-by" readers from scanning cards in your pocket, engraved with the message of your choice. And donors pledging $18 or more get to choose from their "excellent gallery" of t-shirts. Dozens of artists have contributed more than 40 specially-commissioned "hacker-themed" designs, including "Resist Surveillance" and "Linux is Communism" (riffing on a 2000 remark by Microsoft's CEO Steve Ballmer).

There's also shirts commemorating Edward Snowden (including one with an actual NSA document leaked by Edward Snowden) as well as a mock concert t-shirt for the "world tour" of the EternalBlue exploit listing locations struck after it was weaponized by the NSA. One t-shirt even riffs on the new millennial catchphrase "OK boomer" -- replacing it with the phrase "OK Facebook" using fake Cyrillic text.

And one t-shirt design shows an actual critical flaw found by the OSTIF while reviewing OpenVPN 2.4.0.

So far they have 11 backers, earning $790 of their $45,000 goal.

From a report: Keybase started off as co-founder and developer Max Krohn's "hobby project" -- a way for people to share PGP keys with a simple username-based lookup. Then Chris Coyne (who also was cofounder of OkCupid and SparkNotes) got involved and along came $10.8 million in funding from a group of investors led by Andreesen Horowitz. And then things got increasingly more complicated. Keybase aims to make public-key encryption accessible to everyone, for everything from messaging to file sharing to throwing a few crypto-coins someone's way. But because of that level of accessibility, Keybase faces a very OkCupid kind of problem: after drawing in people interested in easy public-key crypto-based communications and then drawing in blockchain lovers with its partnership with (and funding from) Stellar.org, Keybase has also drawn in spammers and scammers. And that has brought a host of alerts and messages that have made what was once a fairly clear communications channel into one clogged with unwanted alerts, messages, and other unpleasantry -- raising a chorus of complaints in Keybase's open chat channel. It turns out there's a reason spell check keeps wanting to tell me that Keybase should be spelled "debase."

Keybase's leadership is promising to do something to fix the spam problem -- or at least make it easier to report and block abusers. In a blog post, Krohn and Coynes wrote, "To be clear, the current spam volume isn't dire, YET. Keybase still works great. But we should act quickly." But the measures promised by Keybase won't completely eliminate the issue. And Keybase execs have no interest in getting involved with additional steps that they see as censorship. "Keybase is a private company and we do retain our rights to kick people out," the co-founders said in the blog post. "That hammer will not be used because someone is mostly disliked, as long as they're playing nicely on Keybase."

Researchers at Valimail found that only 5% of the largest voting counties in the U.S. are protected against email impersonation and phishing attacks. TechCrunch reports: Researchers at Valimail, which has a commercial stake in the email security space, looked at the largest three electoral districts in each U.S. state, and found only 10 out of 187 domains were protected with DMARC, an email security protocol that verifies the authenticity of a sender's email and rejects fraudulent or spoofed emails. DMARC, when enabled and properly enforced, rejects fake emails that hackers design to spoof a genuine email address by sending to spam or bouncing it from the target's inbox altogether. Hackers often use spoofed emails to try to trick victims into opening malicious links from people they know.

But the research found that although DMARC is enabled on many domains, it's not properly enforced, rendering its filtering efforts largely ineffective. The researchers said 66% of the district election-related domains had no DMARC entry at all, while 28% had either a valid DMARC entry but no enforcement, or an invalid DMARC entry altogether. [...] The worry is that attackers could use the lack of DMARC to impersonate legitimate email addresses to send targeted phishing or malware in order to gain a foothold on election networks or launch attacks, steal data or delete it altogether, a move that would potentially disrupt the democratic process.

Do you feel you have been receiving more spam calls of late? You are probably not wrong -- or alone. From a report: The volume of spam calls has grown by 18% globally this year, according to Truecaller. In its annual report published Tuesday, the Stockholm-based firm said users worldwide received 26 billion spam calls between January and October this year -- up from 17.7 billion during the same period last year. The United States remains the eighth most spammed country, where the volume of robocalls increased by 35% this year. In a separate report earlier this year, Truecaller estimated that 43 million Americans were scammed last year and lost about $10.5 billion. The growth is despite the efforts local carriers and authorities have made in the country. Brazil again topped the list for the most spammed country. The culprit behind the increasingly growing spam calls in the country are its own telecom operators and internet service providers. Truecaller said that in the last 12 months, calls from the operators have increased from 32% to 48%.

[...] One of the takeaways from the report is just how complex it is to understand the nature of these spam calls. There is no common thread -- or culprit -- behind these calls. In some markets, such as South Africa (ranked sixth in the report), spammers are mostly making fraudulent tech support calls and conducting job offer scams. Peru, ranked second, and Indonesia, ranked third, have seen spam calls explode in the nation. In Peru, users received more than 30 spam calls in the month. Most of these calls were made by financial services that are looking to upsell credit cards and loans.

Speaking of YouTube ads, the Google-owned company is rolling out a new ad format for its TV experience, dubbed Masthead, to all users. The company tested this new ad format with some users earlier this year. From a report: Announced in a brief post, YouTube says that its beta test of this new ad format was successful in select markets leading to the now global rollout of the Masthead ad format. The new format is available to all advertisers on a CPM basis as part of a cross-screen advertising campaign on YouTube. YouTube's Masthead ad format is not subtle by any means, appearing over the entire top portion of the TV app. Further, that ad auto-plays silently and expands to full-size when the user hovers over the ad. Advertisers, such as FOX, call this "first of its kind" initiative a "fantastic way" to promote its content. The TV network has been using the YouTube Masthead to promote its hit show The Masked Singer.

Tom Warren, writing for The Verge: YouTube has been pissing me off for weeks. I'm starting to feel like I should pay $11.99 a month to subscribe to YouTube Premium just to get rid of the annoying pop-ups Google sends me almost daily. Google has decided to place pop-up ads in its own YouTube app for Premium subscriptions. This feels slightly acceptable at first, but Google has also decided these should spam you to death, sometimes full-screen, with no option to permanently dismiss them so you see them all the damn time. It's a classic growth hack designed to get more people to use YouTube Music or YouTube Premium because, honestly, who cares about either of those services? I already subscribe to Spotify, which is far superior to YouTube Music, and I'd never pay $11.99 just to have fewer YouTube ads and background playback of videos on my phone. It's a pointless subscription that Google is trying to lazily ram down my throat instead of improving its offering, competing fairly with others, and, most importantly, focusing on its customer experience. Google's efforts here have made sure I, and I bet many others, will never touch YouTube Music or YouTube Premium. I absolutely loathe both of these services to the point where I'm left swearing at my phone like an idiot, simply because these stubborn ads keep appearing on top of the YouTube videos I'm trying to watch.

Freshly Exhumed shares a report from ZDNet: A mysterious hacker has published today a database dump of one of the internet's most infamous neo-nazi meeting places -- the IronMarch forum. The data published today includes a full copy of its content, including sensitive details such as emails, IP addresses, usernames, and private messages. The database dump is currently being analyzed by a multitude of entities, including law enforcement, in the hopes of linking forum members to accounts on other sites and potentially exposing their real-world identities. The drive to unmask forum members comes from the fact that IronMarch, while a little-known site to most internet users, has been the birthplace of two of today's most extreme far-right neo-nazi movements -- the Atomwaffen Division and SIEGE Culture -- with the first being accused of orchestrating at least eight murders around the world. The forum's data was published earlier today via the Internet Archive portal.

"The published information includes a carbon copy of the site, from user details to forum posts, and from private messages to multi-factor authentication settings and forum management logs," reports BleepingComputer. "The forum's database includes details on 3,548 registered profiles. The last user's database ID is 15,218; however, the dump only included details on 3,548 accounts -- most likely due to spam or deleted profiles. The registration date for the last user is November 20, 2017, suggesting the database is a copy of the site near the time it went offline."

The research lab OpenAI has released the full version of a text-generating AI system that experts warned could be used for malicious purposes. From a report: The institute originally announced the system, GPT-2, in February this year, but withheld the full version of the program out of fear it would be used to spread fake news, spam, and disinformation. Since then it's released smaller, less complex versions of GPT-2 and studied their reception. Others also replicated the work. In a blog post this week, OpenAI now says it's seen "no strong evidence of misuse" and has released the model in full.

GPT-2 is part of a new breed of text-generation systems that have impressed experts with their ability to generate coherent text from minimal prompts. The system was trained on eight million text documents scraped from the web and responds to text snippets supplied by users. Feed it a fake headline, for example, and it will write a news story; give it the first line of a poem and it'll supply a whole verse. It's tricky to convey exactly how good GPT-2's output is, but the model frequently produces eerily cogent writing that can often give the appearance of intelligence (though that's not to say what GPT-2 is doing involves anything we'd recognize as cognition).

An anonymous reader quotes ZDNet: In a move to fight spam and improve the health of the web, Firefox will hide those annoying notification popups by default starting next year, with the release of Firefox 72, in January 2020, ZDNet has learned from a Mozilla engineer.

The move comes after Mozilla ran an experiment back in April this year to see how users interacted with notifications, and also looked at different ways of blocking notifications from being too intrusive. Usage stats showed that the vast majority (97%) of Firefox users dismissed notifications, or chose to block a website from showing notifications at all...

As a result, Mozilla engineers have decided to hide the notification popup that drops down from Firefox's URL bar, starting with Firefox 72. If a website shows a notification, the popup will be hidden by default, and an icon added to the URL bar instead. Firefox will then animate the icon using a wiggle effect to let the user know there's a notification subscription popup available, but the popup won't be displayed until the user clicks the icon.
Mozilla is the first browser vendor to block notification popups by default, according to the article. It's already available in Firefox Nightly versions, but will be added to the stable branch in January.

"I think Mozilla's decision is good for the health of the web," Jérôme Segura, malware analyst at Malwarebytes tells ZDNet.

An anonymous reader quotes a report from The Verge: This week, the developer of the popular text- and code-editing software Notepad++ released a new version update. Nothing seemed particularly strange about it, except maybe the name: Notepad++ v7.8.1 is the "Free Uyghur" edition. In a blog post announcing the updated version, developer Don Ho writes about the plight of the Uyghur people, an ethnic minority in China that's faced persecution from the country's authoritarian government. China operates internment camps that are used to detain Uyghur people throughout the country's Xinjiang region.

Since the announcement, the software's GitHub "issues" page has been bombarded with spam, much of it in the Chinese language. "Stop sending meaningless political-related issues, it just makes you look like an idiot," reads one comment. Another one simply reads, "Bye ! Uninstall." There's a litany of curses, and one asks, "What do you know about China?" Others have moved in to criticize the Chinese government in response. Ho told The Verge that the software's dedicated site was also under a distributed-denial-of-service attack, but that it has been stopped by an anti-DDoS service provided by the site's host. Ho writes in the announcement that he anticipated potential pushback, saying "talking about politics is exactly what software and commercial companies generally try to avoid," but decided to take the step anyway. "The problem is," Ho writes in the announcement of the Free Uyghur edition, "if we don't deal with politics, politics will deal with us."

Google is facing a backlash over an internal tool for the company's Chrome browser that some employees worry is intended for spying on workers organizing protests and discussing workplace issues. From a report: To get around using the tool, some employees have turned to third-party browsers. That's prompted at least one security engineer at Google to voice concern over the possible vulnerabilities that using outside software could bring. The tool is a software extension for Google's Chrome browser, which is installed on all employee computers. It's designed to activate when workers create calendar events that include more than 100 people or use more than 10 rooms. Google said the tool is a pop-up reminder that asks people to "be mindful" before setting up large meetings. But some employees have accused Google management of trying to keep tabs on big gatherings. Google has called those claims "categorically false" and said the purpose of the tool is to cut down on calendar spam. To avoid the extension, employees are encouraging each other to use browsers other than Chrome, a Google security engineer wrote in an internal forum, screenshots of which were reviewed by CNET. Those browsers include Chromium, the open-source browser foundation on which Google Chrome is built, the engineer wrote, adding that people shifting to other browsers "has an impact on overall security of this fleet."

An anonymous reader quotes a report from ZDNet: Over the past six months, a new Android malware strain has made a name for itself after popping up on the radar of several antivirus companies, and annoying users thanks to a self-reinstall mechanism that has made it near impossible to remove. Named xHelper, this malware was first spotted back in March but slowly expanded to infect more than 32,000 devices by August (per Malwarebytes), eventually reaching a total of 45,000 infections this month (per Symantec). The malware is on a clear upward trajectory. Symantec says the xHelper crew is making on average 131 new victims per day and around 2,400 new victims per month. Most of these infections have been spotted in India, the U.S., and Russia.

According to Malwarebytes, the source of these infections is "web redirects" that send users to web pages hosting Android apps. These sites instruct users on how to side-load unofficial Android apps from outside the Play Store. Code hidden in these apps downloads the xHelper trojan. The good news is that the trojan doesn't carry out destructive operations. According to both Malwarebytes and Symantec, for most of its operational lifespan, the trojan has shown intrusive popup ads and notification spam. The ads and notifications redirect users to the Play Store, where victims are asked to install other apps -- a means through which the xHelper gang is making money from pay-per-install commissions. What's interesting about xHelper is that it gains access to an Android device via an initial app and installs itself as a separate self-standing service. Furthermore, you can't remove the app, as the trojan reinstalls itself every time, even after users perform a factory reset.

An anonymous reader quotes a report from Bloomberg: Google employees are accusing the company's leadership of developing an internal surveillance tool that they believe will be used to monitor workers' attempts to organize protests and discuss labor rights. Earlier this month, employees said they discovered that a team within the company was creating the new tool for the custom Google Chrome browser installed on all workers' computers and used to search internal systems. The concerns were outlined in a memo written by a Google employee and reviewed by Bloomberg News and by three Google employees who requested anonymity because they aren't authorized to talk to the press.

The tool would automatically report staffers who create a calendar event with more than 10 rooms or 100 participants, according to the employee memo. The most likely explanation, the memo alleged, "is that this is an attempt of leadership to immediately learn about any workers organization attempts." A representative for Alphabet Inc.'s Google said, "These claims about the operation and purpose of this extension are categorically false. This is a pop-up reminder that asks people to be mindful before auto-adding a meeting to the calendars of large numbers of employees." The extension was prompted by an increase in spam around calendars and events, according to Google. It doesn't collect personally identifiable information, nor does it stop the use of calendars but rather adds a speed bump when employees are reaching out to a large group, the company said.

The Kik Messenger app has officially been acquired by U.S.-based holding company MediaLab. The news comes just one day before the app was scheduled to shut down. From a report: The blog post noted that MediaLab plans to keep the app alive and also outlines ideas it has to improve the app moving forward. It is noted that the acquiring company plans to partner with Kik CEO Ted Livingston and the remaining 19 team members and is still dedicated to expanding the Kin integration.

MediaLab stated that it has a long term commitment to Kik and seeing the app succeed, but also noted the urgent need to cover expenses. The blog post stated that in the coming weeks ads will be introduced to Kik Messenger. The holding company acknowledged that some Kik users may not like this idea, but stated plans to bring in the ads in a "non-intrusive" way that "in no way takes away from what makes Kik great." "No annoying full screen video takeovers or things like that," the blog post stated. Other changes MediaLab plans to make to the app include pulling back features it said were not optimized. Kik's video chat toggle and third party bots platform will be discontinued, with MediaLab noting that it wants to eradicate spam bots and unwanted messages. It also stated it will update the app's software to make it faster, more reliable, and "less buggy." "Ted Livingston and the rest of the team at Kik have spent the last nine years building something truly special," the blog post stated. "At the risk of sounding cheesy, we are still passionate believers in what the internet promised to bring in its early days -- a connected and shared experience amongst people regardless of geography or time zone. Kik is one of those amazing places that brings us back to those early aspirations."

A new article this week on Motherboard argues that Flash "is responsible for the internet's most creative era," citing a new 640-page book by Rob Ford on the evolution of web design.

[O]ne could argue that the web has actually gotten less creative over time, not more. This interpretation of events is a key underpinning of Web Design: The Evolution of the Digital World 1990-Today (Taschen, $50), a new visual-heavy book from author Rob Ford and editor Julius Wiedemann that does something that hasn't been done on the broader internet in quite a long time: It praises the use of Flash as a creative tool, rather than a bloated malware vessel, and laments the ways that visual convention, technical shifts, and walled gardens have started to rein in much of this unvarnished creativity.

This is a realm where small agencies supporting big brands, creative experimenters with nothing to lose, and teenage hobbyists could stand out simply by being willing to try something risky. It was a canvas with a built-in distribution model. What wasn't to like, besides a whole host of malware?
The book's author tells Motherboard that "Without the rebels we'd still be looking at static websites with gray text and blue hyperlinks." But instead we got wild experiments like Burger King's "Subservient Chicken" site or the interactive "Wilderness Downtown" site coded by Google.

There were also entire cartoon series like Radiskull and Devil Doll or Zombie College -- not to mention games like "A Murder of Scarecrows" or the laughably unpredictible animutations of 14-year-old Neil Cicierega. But Ford tells Motherboard that today, many of the wild ideas have moved from the web to augmented reality and other "physical mediums... The rise in interactive installations, AR, and experiential in general is where the excitement of the early days is finally happening again."

Motherboard calls the book "a fitting coda for a kind of digital creativity that -- like Geocities and MySpace pages, multimedia CD-ROMs, and Prodigy graphical interfaces before it -- has faded in prominence."

An anonymous reader quotes a report from Ars Technica: If you've noticed an uptick of spam that addresses you by name or quotes real emails you've sent or received in the past, you can probably blame Emotet. It's one of the world's most costly and destructive botnets -- and it just returned from a four-month hiatus. A post published on Tuesday by researchers from Cisco's Talos security team helps explain how Emotet continues to threaten so many of its targets.

Spam sent by Emotet often appears to come from a person the target has corresponded with in the past and quotes the bodies of previous email threads the two have participated in. Emotet gets this information by raiding the contact lists and email inboxes of infected computers. The botnet then sends a follow-up email to one or more of the same participants and quotes the body of the previous email. It then adds a malicious attachment. The result: malicious messages that are hard for both humans and spam filters to detect. The use of previously sent emails isn't new, since Emotet did the same thing before it went silent in early June. But with its return this week, the botnet is relying on the trick much more. About 25% of spam messages Emotet sent this week include previously sent emails, compared with about 8% of spam messages sent in April. "To make sending the spam easier, Emotet also steals the usernames and passwords for outgoing email servers," the report adds. "Those passwords are then turned over to infected machines that Emotet control servers have designated as spam emitters. The Talos researchers found almost 203,000 unique pairs that were collected over a 10-month period."

Malwarebytes says Emotet has brought back another tactic where it refers to targets by name in subject lines. "Once opened, the documents attached to the emails claim that, effective September 20, 2019, users can only read the contents after they have agreed to a licensing agreement for Microsoft Word," reports Ars Technica. "And to do that, according to a post from security firm Cofense, users must click on an Enable Content button that turns on macros in Word."

"After Office macros are enabled, Emotet executables are downloaded from one of five different payload locations," Cofense researchers Alan Rainer and Max Gannon wrote. "When run, these executables launch a service that looks for other computers on the network. Emotet then downloads an updated binary and proceeds to fetch TrickBot if a (currently undetermined) criteria of geographical location and organization are met."

An anonymous reader quotes ZDNet: Kyle Milliken, a 29-year-old Arkansas man, was released last week from a federal work camp. He served 17 months for hacking into the servers of several companies and stealing their user databases. Some of the victims included Disqus, from where he stole 17.5 million user records, Kickstarter, from where he took 5.2 million records, and Imgur, with 1.7 million records. For years, Milliken and his partners operated by using the credentials stolen from other companies to break into more lucrative accounts on other services.

If users had reused their passwords, Milliken would access their email inboxes, Facebook, Twitter, or Myspace accounts, and post spam promoting various products and services. From 2010 to 2014, Milliken and his colleagues operated a successful spam campaign using this simple scheme, making more than $1.4 million in profits, and living the high life. Authorities eventually caught up with the hacker. He was arrested in 2014, and collaborated with authorities for the next years, until last year, when it leaked that he was collaborating with authorities and was blackballed on the cybercrime underground....

In an interview with ZDNet last week, Milliken said he's planning to go back to school and then start a career in cyber-security... [H]e publicly apologized to the Kickstarter CEO on Twitter. "I've had a lot of time to reflect and see things from a different perspective," Milliken told ZDNet. "When you're hacking or have an objective to dump a database, you don't think about who's on the other end. There's a lot of talented people, a ton of work, and even more money that goes into creating a company... there's a bit of remorse for putting these people through cyber hell."
He also has a message for internet uesrs: stop reusing your passwords. And he also suggests enabling two-factor authentication.

"I honestly think that the big three email providers (Microsoft, Yahoo, Google) added this feature because of me."

schwit1 shared this thought-provoking article from Fast Company: Many Westerners are disturbed by what they read about China's social credit system. But such systems, it turns out, are not unique to China. A parallel system is developing in the United States, in part as the result of Silicon Valley and technology-industry user policies, and in part by surveillance of social media activity by private companies. Here are some of the elements of America's growing social credit system.

- The New York State Department of Financial Services announced earlier this year that life insurance companies can base premiums on what they find in your social media posts...

- Airbnb can disable your account for life for any reason it chooses, and it reserves the right to not tell you the reason...

- You can be banned from communications apps, too. For example, you can be banned on WhatsApp if too many other users block you. You can also get banned for sending spam, threatening messages, trying to hack or reverse-engineer the WhatsApp app, or using the service with an unauthorized app...

The most disturbing attribute of a social credit system is not that it's invasive, but that it's extralegal. Crimes are punished outside the legal system, which means no presumption of innocence, no legal representation, no judge, no jury, and often no appeal. In other words, it's an alternative legal system where the accused have fewer rights. Social credit systems are an end-run around the pesky complications of the legal system. Unlike China's government policy, the social credit system emerging in the U.S. is enforced by private companies. If the public objects to how these laws are enforced, it can't elect new rule-makers...

If current trends hold, it's possible that in the future a majority of misdemeanors and even some felonies will be punished not by Washington, D.C., but by Silicon Valley. It's a slippery slope away from democracy and toward corporatocracy. In other words, in the future, law enforcement may be determined less by the Constitution and legal code, and more by end-user license agreements.