It’s been a busy week. The Senate voted 74-21 to pass CISA, the problematic surveillance bill that has privacy advocates and civil liberties groups up in arms. In better news, the EU Parliament voted to protect Snowden from extradition if he comes to Europe, paving the way for European countries to reconsider his asylum request. But the again, the EU also passed net neutrality rules filled with loopholes that aren’t exactly neutral. The Library of Congress approved copyright law exemptions that would allow people to modify software on their cars—but the exemptions only last three years after they begin to take effect, which won’t be for another year. And Tor launched the beta version of Tor Messenger, which looks like the easiest-to-use encrypted, anonymous instant messaging app.

But that’s not all. Each Saturday we round up the news stories that we didn’t break or cover in depth at WIRED, but which deserve your attention nonetheless. As always, click on the headlines to read the full story in each link posted. And stay safe out there!

### Cops Were Accidentally Leaking License Plate Surveillance Data Online

The fact that local governments collect data on every driver’s travel history is pretty disconcerting. That idea that this data is sometimes widely available to anyone with a web browser is even scarier. Earlier this year, EFF learned that information from more than 100 auto license plate reader cameras was available online, and sometimes the camera’s live video stream (and plate captures) could be viewed in real time. The digital rights group was able to trace five cameras to their sources, and found multiple issues such as poor or default passwords, or no passwords at all. Luckily, when notified by EFF, the agencies secured the systems, but tracking the sources of all cameras wasn’t possible. Other than securing surveillance technology before using it (what a concept!) it would behoove law enforcement agencies to limit their data storage to days, not years—and only for vehicles suspected to have been involved with a crime, the EFF concluded.

The Defense Advanced Research Projects Agency (DARPA) paid close to $500,000 to Kudu Dynamics for a project called ICEWARD (“Internet Cyber Early Warning of Adversary Research and Development”), with the goal of monitoring infosec researchers in order to to try to determine which vulnerabilities they’re looking for. Some privacy advocates believe the program’s intent is simply to spy on security researchers—and after DARPA scrubbed the program’s online description (which is still available elsewhere online) certainly didn’t alleviate suspicions. But others are less wary, especially since the project seems to entail simply collecting public information to learn what researchers are working on rather than trying to intercept communications.

We have more details about the two FBI surveillance planes that circled over Baltimore during protests after the death of Freddie Gray. FBI and Federal Aviation Authority documents released in response to a Freedom of Information Act request by the ACLU show that at least one of the two planes had thermal imaging and night vision camera technology, and that law enforcement kept the videos it took during the flights. The use of thermal imaging without a warrant was deemed unconstitutional by the Supreme Court in a case where law enforcement used the technology to look for heat lamps inside somebody’s home. Although FBI spokesperson Christopher Allen said that the infrared cameras "are not able to identify specific heat signatures through a solid object," the new details about how this surveillance technology is being used still raises 4th Amendment concerns.

The UK phone and broadband provider TalkTalk was hacked, and it’s possible whoever did it stole both personal and financial data. The company reportedly also received a ransom demand of around £80,000 (approximately $122,000 US dollars) in exchange for the attackers not publishing customer data. Several hacker collectives have claimed responsibility for the attack, which may have started with a SQL injection along with a denial-of-service attack that may have been a distraction. Authorities arrested a 15-year-old boy in Northern Ireland in connection with the attack, as well as a 16-year-old from West London.

Apparently Germany is looking into new allegations of NSA or GCHQ spying. Due to lack of evidence, it had dropped an earlier investigation into allegations that the US was spying on German Chancellor Angela Merkel’s mobile phone. This new probe concerns the alleged installation of the spying virus Regin on a department chief’s personal laptop.

Russian submarines and spy ships operating near undersea communication cables have the US on edge. That’s because any attacks on those lines could wreak havoc on global Internet communications and business. In fact, the Department of Homeland Security lists undersea cables’ landing areas as critical infrastructure. Although cables do get cut by anchors and natural disasters, this typically happens close to shore and is quick to repair. Pentagon planners are worried that Russia could target cables that are deeper and harder to monitor, find, and repair. They could also be hunting for cables in undisclosed locations that the US has commissioned for military operations. Norway, a NATO ally, has asked its neighbors for assistance in tracking Russian submarines.

Even the Internal Revenue Service has Stingray surveillance equipment, according to documents obtained by the Guardian under the Freedom of Information Act. It bought the equipment in 2009 and 2012. The 2012 invoice shows that the IRS spent more than $65,000 upgrading the Stingray II to the more powerful HailStorm, and spent an additional $6,000 on training from the manufacturer, Harris Corporation. Twelve federal agencies in addition to the IRS—including the NSA and FBI—already use the invasive surveillance technology, as do local and state police departments. It’s not entirely clear how or why tax collectors are using the cellphone tracking devices, but newly released documents show that the controversial devices can intercept both voice and text communications, in addition to metadata.

Speaking of stingrays, now researchers have devised an inexpensive alternative that can track the location of smartphones by attacking LTE specifications with just $1,400 worth of hardware. LTE attempts to conceal the location of individual phones by changing their temporary mobile subscriber identities, but this attack uses texts, undetectable calls, or app messages to get the network to locate the phone, thus connecting phone numbers with subscriber identities. Active attacks could impersonate official base stations provided by the network carrier and force LTE phones to connect to it, much like the stingrays the government keeps using on its citizens. Attackers can even get GPS coordinates in some circumstances, or obtain data to triangulate the exact location of a phone. The researchers notified the manufacturers and carriers affected by this back in June and July.

Eleven-year-old Mira Modi, daughter of ProPublica journalist and Dragnet Nation author Julia Angwin, started generating Diceware passwords for her mom—and then turned it into a business. She creates truly random passwords the old-fashioned way: by rolling real six-sided dice, finding the corresponding words in the Diceware word list, copying them by hand, and mailing them to the customer.

If you’re looking for a last-minute Halloween costume, here’s an idea courtesy of engineer and artist Brian Matthews: Dress up as Edward Snowdenhands—a reference to our favorite on-air prank that happened, ever. Or you could always be Waldo.