Slashdot security articles

Syndicate content Slashdot: Generated for TarPitt (217247)
News for nerds, stuff that matters: Generated for TarPitt (217247)
Updated: 8 hours 46 min ago

The First Lightning Security Key For iPhones Is Here, and It Works With USB-C, Too

Wed, 08/21/2019 - 02:00
Yubico is releasing the $70 YubiKey 5Ci, the first security key that can plug into your iPhone's Lightning port or a USB-C port, and it's compatible with popular password vaults LastPass and 1Password out of the box. The Verge reports: That means you may not have to remember your password for your bank ever again -- just plug the YubiKey into your iPhone, use it to log into the 1Password app, and get that bank password. At launch, it'll support these well-known password managers and single sign-on tools: 1Password, Bitwarden, Dashlane, Idaptive, LastPass, and Okta. And when using the Brave browser for iOS, the YubiKey 5Ci can be used as an easier way to log into Twitter, GitHub, 1Password's web app, and a couple other services. Notably, the 5Ci doesn't work with the newest iPad Pros at all, despite having a USB-C connector that fits. And you can't just plug the Lightning side of the 5Ci into an iPhone and expect it to work with any service that supports the FIDO authentication protocol -- our passwordless future isn't here just yet. Yubico tells The Verge that services have to individually add support for Lightning connector on the 5Ci into their apps.

WebKit Introduces New Tracking Prevention Policy

Tue, 08/20/2019 - 07:30
AmiMoJo writes: WebKit, the open source HTML engine used by Apple's Safari browser and a number of others, has created a new policy on tracking prevention. The short version is that many forms of tracking will now be treated the same way as security flaws, being blocked or mitigated with no exceptions. While on-site tracking will still be allowed (and is practically impossible to prevent anyway), all forms of cross-site tracking and covert tracking will be actively and aggressively blocked.

Hacker Releases First Public Jailbreak for Up-to-Date iPhones in Years

Mon, 08/19/2019 - 11:21
Apple has mistakenly made it a bit easier to hack iPhone users who are on the latest version of its mobile operating system iOS by unpatching a vulnerability it had already fixed. From a report: Hackers quickly jumped on this over the weekend, and publicly released a jailbreak for current, up-to-date iPhones -- the first free public jailbreak for a fully updated iPhone that's been released in years. Security researchers found this weekend that iOS 12.4, the latest version released in June, reintroduced a bug found by a Google hacker that was fixed in iOS 12.3. That means it's currently relatively easy to not only jailbreak up to date iPhones, but also hack iPhone users, according to people who have studied the issue. "Due to 12.4 being the latest version of iOS currently available and the only one which Apple allows upgrading to, for the next couple of days (till 12.4.1 comes out), all devices of this version (or any 11.x and 12.x below 12.3) are jail breakable -- which means they are also vulnerable to what is effectively a 100+ day exploit," said Jonathan Levin, a security researcher and trainer who specializes in iOS, referring to the fact that this vulnerability can be exploited with code that was found more than 100 days ago. Pwn20wnd, a security researcher who develops iPhone jailbreaks, published a jailbreak for iOS 12.4 on Monday.

Degrading Tor Network Performance Only Costs a Few Thousand Dollars Per Month

Mon, 08/19/2019 - 07:21
Threat actors or nation-states looking into degrading the performance of the Tor anonymity network can do it on the cheap, for only a few thousands US dollars per month, new academic research has revealed. An anonymous reader writes: According to researchers from Georgetown University and the US Naval Research Laboratory, threat actors can use tools as banal as public DDoS stressers (booters) to slow down Tor network download speeds or hinder access to Tor's censorship circumvention capabilities. Academics said that while an attack against the entire Tor network would require immense DDoS resources (512.73 Gbit/s) and would cost around $7.2 million per month, there are far simpler and more targeted means for degrading Tor performance for all users. In research presented this week at the USENIX security conference, the research team showed the feasibility and effects of three types of carefully targeted "bandwidth DoS [denial of service] attacks" that can wreak havoc on Tor and its users. Researchers argue that while these attacks don't shut down or clog the Tor network entirely, they can be used to dissuade or drive users away from Tor due to prolongued poor performance, which can be an effective strategy in the long run.

Massive Ransomware Attack Hits 23 Local Texas Government Offices

Sun, 08/18/2019 - 20:34
Long-time Slashdot reader StonyCreekBare shared this press release from the Texas Department of Information Resources (Dir) press release as of August 17, 2019, at approximately 5:00 p.m. central time: On the morning of August 16, 2019, more than 20 entities in Texas reported a ransomware attack. The majority of these entities were smaller local governments... At this time, the evidence gathered indicates the attacks came from one single threat actor. Investigations into the origin of this attack are ongoing; however, response and recovery are the priority at this time. It appears all entities that were actually or potentially impacted have been identified and notified. Twenty-three entities have been confirmed as impacted. Responders are actively working with these entities to bring their systems back online. The State of Texas systems and networks have not been impacted.

A Major Cyber Attack Could Be Just As Deadly As Nuclear Weapons

Sun, 08/18/2019 - 14:39
"As someone who studies cybersecurity and information warfare, I'm concerned that a cyberattack with widespread impact, an intrusion in one area that spreads to others or a combination of lots of smaller attacks, could cause significant damage, including mass injury and death rivaling the death toll of a nuclear weapon," warns an assistant Professor of Computer Science, North Dakota State University: Unlike a nuclear weapon, which would vaporize people within 100 feet and kill almost everyone within a half-mile, the death toll from most cyberattacks would be slower. People might die from a lack of food, power or gas for heat or from car crashes resulting from a corrupted traffic light system. This could happen over a wide area, resulting in mass injury and even deaths... The FBI has even warned that hackers are targeting nuclear facilities. A compromised nuclear facility could result in the discharge of radioactive material, chemicals or even possibly a reactor meltdown. A cyberattack could cause an event similar to the incident in Chernobyl. That explosion, caused by inadvertent error, resulted in 50 deaths and evacuation of 120,000 and has left parts of the region uninhabitable for thousands of years into the future. My concern is not intended to downplay the devastating and immediate effects of a nuclear attack. Rather, it's to point out that some of the international protections against nuclear conflicts don't exist for cyberattacks... Critical systems, like those at public utilities, transportation companies and firms that use hazardous chemicals, need to be much more secure... But all those systems can't be protected without skilled cybersecurity staffs to handle the work. At present, nearly a quarter of all cybersecurity jobs in the US are vacant, with more positions opening up than there are people to fill them. One recruiter has expressed concern that even some of the jobs that are filled are held by people who aren't qualified to do them. The solution is more training and education, to teach people the skills they need to do cybersecurity work, and to keep existing workers up to date on the latest threats and defense strategies.

Should HTTPS Certificates Expire After Just 397 Days?

Sun, 08/18/2019 - 11:34
Google has made a proposal to the unofficial cert industry group that "would cut lifespan of SSL certificates from 825 days to 397 days," reports ZDNet. No vote was held on the proposal; however, most browser vendors expressed their support for the new SSL certificate lifespan. On the other side, certificate authorities were not too happy, to say the least. In the last decade and a half, browser makers have chipped away at the lifespan of SSL certificates, cutting it down from eight years to five, then to three, and then to two. The last change occured in March 2018, when browser makers tried to reduce SSL certificate lifespans from three years to one, but compromised for two years after pushback from certificate authorities. Now, barely two years later after the last change, certificate authorities feel bullied by browser makers into accepting their original plan, regardless of the 2018 vote... This fight between CAs and browser makers has been happening in the shadows for years. As HashedOut, a blog dedicated to HTTPS-related news, points out, this proposal is much more about proving who controls the HTTPS landscape than everything. "If the CAs vote this measure down, there's a chance the browsers could act unilaterally and just force the change anyway," HashedOut said. "That's not without precendent, but it's also never happened on an issue that is traditionally as collegial as this. "If it does, it becomes fair to ask what the point of the CA/B Forum even is. Because at that point the browsers would basically be ruling by decree and the entire exercise would just be a farce." Security researcher Scott Helme "claims that this process is broken and that bad SSL certificates continue to live on for years after being mississued and revoked -- hence the reason he argued way back in early 2018 that a shorter lifespan for SSL certificates would fix this problem because bad SSL certs would be phased out faster." But the article also notes that Timothy Hollebeek, DigiCert's representative at the CA/B Forum argues that the proposed change "has absolutely no effect on malicious websites, which operate for very short time periods, from a few days to a week or two at most. After that, the domain has been added to various blacklists, and the attacker moves on to a new domain and acquires new certificates."

Google Plans To Remove All FTP Support From Chrome

Sun, 08/18/2019 - 05:34
An anonymous reader quotes MSPoweruser: Google Chrome always had a bit of a love-hate relationship when it comes to managing FTP links. The web browser usually downloads instead of rendering it like other web browsers. However, if you're using FTP then you might have to look elsewhere soon as Google is planning to remove FTP support altogether. In a post (via Techdows), Google, today announced its intention to deprecate FTP support starting with Chrome v80. The main issue with FTP right now is security and the protocol doesn't support encryption which makes it vulnerable and Google has decided it's no longer feasible to support it.

Intel Patches Three High-Severity Vulnerabilities

Sat, 08/17/2019 - 17:34
Intel's latest patches "stomped out three high-severity vulnerabilities and five medium-severity flaws," reports Threatpost: One of the more serious vulnerabilities exist in the Intel Processor Identification Utility for Windows, free software that users can install on their Windows machines to identify the actual specification of their processors. The flaw (CVE-2019-11163) has a score of 8.2 out of 10 on the CVSS scale, making it high severity. It stems from insufficient access control in a hardware abstraction driver for the software, versions earlier than 6.1.0731. This glitch "may allow an authenticated user to potentially enable escalation of privilege, denial of service or information disclosure via local access" according to Intel. Users are urged to update to version 6.1.0731. Intel stomped out another high-severity vulnerability in its Computing Improvement Program, which is program that Intel users can opt into that uses information about participants' computer performance to make product improvement and detect issues. However, the program contains a flaw (CVE-2019-11162) in the hardware abstraction of the SEMA driver that could allow escalation of privilege, denial of service or information disclosure... A final high-severity flaw was discovered in the system firmware of the Intel NUC (short for Next Unit of Computing), a mini-PC kit used for gaming, digital signage and more. The flaw (CVE-2019-11140) with a CVSS score of 7.5 out of 10, stems from insufficient session validation in system firmware of the NUC. This could enable a user to potentially enable escalation of privilege, denial of service and information disclosure. An exploit of the flaw would come with drawbacks -- a bad actor would need existing privileges and local access to the victim system. The article notes that the patches "come on the heels of a new type of side-channel attack revealed last week impacting millions of newer Intel microprocessors manufactured after 2012."

June Windows Security Patch Broke Many EMF Files

Sat, 08/17/2019 - 09:04
reg (Slashdot user #5,428) writes: A Windows security patch in June broke the display of many Windows Metafile graphics across all supported versions of Windows, resulting in many old PowerPoint files and Word documents not displaying figures, and graphics from some popular applications not displaying, including at least some ESRI GIS products and files created using the devEMF driver in R. This likely also impacts EMF files created with Open Source Office suites. While the problem can be fixed by recreating the files using a newer set of options, or resorting to using bitmaps, it means that presentations or documents that used to display perfectly no longer do. Microsoft promised a fix in July, but there is still no news of when it will be available.

Chrome and Firefox Changes Spark the End of 'Extended Validation' Certificates

Sat, 08/17/2019 - 06:34
"Upcoming changes in Google Chrome and Mozilla Firefox may finally spark the end for Extended Validation certificates as the browsers plan to do away with showing a company's name in the address bar," reports Bleeping Computer. When connecting to a secure web site, an installed SSL/TLS certificate will encrypt the communication between the browser and web server. These certificates come in a few different flavors, with some claiming to offer a more thorough verification process or extra perks. One certificate, called EV Certificates, are known for having a browser display the owner of the certificate directly in the browser's address bar. This allegedly makes the site feel more trustworthy to a visitor. In reality, the different types of SSL/TLS certificates all serve a single purpose and that is to encrypt the communication between a browser and web site. Anything extra is seen by many as just a marketing gimmick to charge customers for a more expensive "trustworthy" certificate. In numerous blog posts, security researcher Troy Hunt has stated that EV Certificates will soon be dead as more and more sites switch away from them, because they are much harder to manage due to extra verification times, and because people have become to associate a padlock with a secure site rather than a company name. With Safari already removing EV Certificate company info from the address bar, most mobile browsers not showing it, and Chrome and Mozilla desktop browsers soon to remove it, Hunt's predictions are coming true. EV Certificates will soon be dead. AmiMoJo shared this post from Google's Chromium blog: Through our own research as well as a survey of prior academic work, the Chrome Security UX team has determined that the EV UI does not protect users as intended. Users do not appear to make secure choices (such as not entering password or credit card information) when the UI is altered or removed, as would be necessary for EV UI to provide meaningful protection. Further, the EV badge takes up valuable screen real estate, can present actively confusing company names in prominent UI, and interferes with Chrome's product direction towards neutral, rather than positive, display for secure connections. Because of these problems and its limited utility, we believe it belongs better in Page Info.

Huge Survey of Firmware Finds No Security Gains In 15 Years

Fri, 08/16/2019 - 15:20
A survey of more than 6,000 firmware images spanning more than a decade finds no improvement in firmware security and lax security standards for the software running connected devices by Linksys, Netgear and other major vendors. The Security Ledger reports: "Nobody is trying," said Sarah Zatko, the Chief Scientist at the Cyber Independent Testing Lab (CITL), a non-profit organization that conducts independent tests of software security. "We found no consistency in a vendor or product line doing better or showing improvement. There was no evidence that anybody is making a concerted effort to address the safety hygiene of their products," she said. The CITL study surveyed firmware from 18 vendors including ASUS, D-link, Linksys, NETGEAR, Ubiquiti and others. In all, more than 6,000 firmware versions were analyzed, totaling close to 3 million binaries created from 2003 to 2018. It is the first longitudinal study of IoT software safety, according to Zatko. CITL researchers studied publicly available firmware images and evaluated them for the presence of standard security features such as the use of non-executable stacks, Address Space Layout Randomization (ASLR) and stack guards, which prevent buffer overflow attacks. The results were not encouraging. Time and again, firmware from commonly used manufacturers failed to implement basic security features even when researchers studied the most recent versions of the firmware. For example: firmware for the ASUS RT-AC55U wifi router did not employ ASLR or stack guards to protect against buffer overflow attacks. Nor did it employ a non-executable stack to protect against "stack smashing," another variety of overflow attack. CITL found the same was true of firmware for Ubiquiti's UAP AC PRO wireless access points, as well as DLink's DWL-6600 access point. Router firmware by vendors like Linksys and NETGEAR performed only slightly better on CITL's assessment. CITL researchers also "found no clear progress in any protection category over time," reports The Security Ledger. "Researchers documented 299 positive changes in firmware security scores over the 15 years covered by the study... but 370 negative changes over the same period. Looking across its entire data set, in fact, firmware security actually appeared to get worse over time, not better." On the bright side, the survey found that almost all recent router firmware by Linksys and NETGEAR boasted non-executable stacks. "However, those same firmware binaries did not employ other common security features like ASLR or stack guards, or did so only rarely," says the report.

Judge Orders Georgia To Switch To Paper Ballots For 2020 Elections

Fri, 08/16/2019 - 14:00
An anonymous reader quotes a report from Ars Technica: Election security advocates scored a major victory on Thursday as a federal judge issued a 153-page ruling ordering Georgia officials to stop using its outdated electronic voting machines by the end of the year. The judge accepted the state's argument that it would be too disruptive to switch to paper ballots for municipal elections being held in November 2019. But she refused to extend that logic into 2020, concluding that the state had plenty of time to phase out its outdated touchscreen machines before then. The state of Georgia was already planning to phase out its ancient touchscreen electronic voting machines in favor of a new system based on ballot-marking machines. Georgia hopes to have the new machines in place in time for a presidential primary election in March 2020. In principle, that switch should address many of the critics' concerns. The danger, security advocates said, was that the schedule could slip and Georgia could then fall back on its old, insecure electronic machines in the March primary and possibly in the November 2020 general election as well. The new ruling by Judge Amy Totenberg slams the door shut on that possibility. If Georgia isn't able to switch to its new high-tech system, it will be required to fall back on a low-tech system of paper ballots rather than continue using the insecure and buggy machines it has used for well over a decade. Alex Halderman, a University of Michigan computer scientist who served as the plaintiffs' star witness in the case, hailed the judge's ruling. "The court's ruling recognizes that Georgia's voting machines are so insecure, they're unconstitutional," Halderman said in an email to Ars. "That's a huge win for election security that will reverberate across other states that have equally vulnerable systems."

Hundreds of Thousands of People Are Using Passwords That Have Already Been Hacked, Google Says

Fri, 08/16/2019 - 08:45
A new Google study this week confirmed the obvious: internet users need to stop using the same password for multiple websites unless they're keen on having their data hijacked, their identity stolen, or worse. From a report: It seems like not a day goes by without a major company being hacked or leaving user email addresses and passwords exposed to the public internet. These login credentials are then routinely used by hackers to hijack your accounts, a threat that's largely mitigated by using a password manager and unique password for each site you visit. Sites like "have I been pwned?" can help users track if their data has been exposed, and whether they need to worry about their credentials bouncing around the dark web. But it's still a confusing process for many users unsure of which passwords need updating. To that end, last February Google unveiled a new experimental Password Checkup extension for Chrome. The extension warns you any time you log into a website using one of over 4 billion publicly-accessible usernames and passwords that have been previously exposed by a major hack or breach, and prompts you to change your password when necessary. The extension was built in concert with cryptography experts at Stanford University to ensure that Google never learns your usernames or passwords, the company says in an explainer. Anonymous telemetry data culled from the extension has provided Google with some interesting information on how widespread the practice of account hijacking and non-unique passwords really is.

New Bluetooth KNOB Flaw Lets Attackers Manipulate Traffic

Fri, 08/16/2019 - 06:41
A new Bluetooth vulnerability named "KNOB" has been disclosed that allow attackers to more easily brute force the encryption key used during pairing to monitor or manipulate the data transferred between two paired devices. From a report: In a coordinated disclosure between Center for IT-Security, Privacy and Accountability (CISPA), ICASI, and ICASI members such as Microsoft, Apple, Intel, Cisco, and Amazon, a new vulnerability called "KNOB" has been disclosed that affects Bluetooth BR/EDR devices, otherwise known as Bluetooth Classic, using specification versions 1.0 - 5.1. This flaw has been assigned CVE ID CVE-2019-9506 and allows an attacker to reduce the length of the encryption key used for establishing a connection. In some cases, an attacker could reduce the length of an encryption key to a single octet. "The researchers identified that it is possible for an attacking device to interfere with the procedure used to set up encryption on a BR/EDR connection between two devices in such a way as to reduce the length of the encryption key used," stated an advisory on "In addition, since not all Bluetooth specifications mandate a minimum encryption key length, it is possible that some vendors may have developed Bluetooth products where the length of the encryption key used on a BR/EDR connection could be set by an attacking device down to a single octet."

Apple Files Lawsuit Against Corellium For iOS Emulation

Thu, 08/15/2019 - 21:15
Apple has filed a lawsuit against Corellium, accusing the software company of illegally selling virtual copies of iOS under the guise of helping discover security flaws. "Apple said the software company Corellium has copied the operating system, graphical user interface and other aspects of the devices without permission, and wants a federal judge to stop the violations," reports Bloomberg. From the report: Apple said it supports "good-faith security research," offering a $1 million "bug bounty" for anyone who discovers flaws in its system and gives custom versions of the iPhone to "legitimate" researchers. Corellium, the iPhone maker said, goes further than that. "Although Corellium paints itself as providing a research tool for those trying to discover security vulnerabilities and other flaws in Apple's software, Corellium's true goal is profiting off its blatant infringement," Apple said in the complaint. "Far from assisting in fixing vulnerabilities, Corellium encourages its users to sell any discovered information on the open market to the highest bidder." Corellium creates copies of the Apple iOS, and says that it's all to help white-hat hackers discover security flaws. Instead, according to Apple, any information is sold to people who can then exploit those flaws. Corellium, in a posting dated July 4 on its website, said it "respects the intellectual property rights of others and expects its users to do the same." Corellium's products allow the creation of a virtual Apple device, according to the suit. It copies new versions of Apple works as soon as they are announced, and doesn't require users to disclose flaws to Apple, the Cupertino, California-based company said in the complaint. Apple also wants a court order forcing Corellium to notify its customers that they are in violation of Apple's rights, destruction of any products using Apple copyrights, and cash compensation.

President Trump Is Reportedly Considering Buying Greenland

Thu, 08/15/2019 - 18:15
According to The Wall Street Journal, President Trump has -- with varying degrees of seriousness -- floated the idea of the U.S. buying the autonomous Danish territory of Greenland. From the report: In meetings, at dinners and in passing conversations, Mr. Trump has asked advisers whether the U.S. can acquire Greenland, listened with interest when they discuss its abundant resources and geopolitical importance and, according to two of the people, has asked his White House counsel to look into the idea. Some of his advisers have supported the concept, saying it was a good economic play, two of the people said, while others dismissed it as a fleeting fascination that will never come to fruition. It is also unclear how the U.S. would go about acquiring Greenland even if the effort were serious. U.S. officials view Greenland as important to American national-security interests. A decades-old defense treaty between Denmark and the U.S. gives the U.S. military virtually unlimited rights in Greenland at America's northernmost base, Thule Air Base. Located 750 miles north of the Arctic Circle, it includes a radar station that is part of a U.S. ballistic missile early-warning system. The base is also used by the U.S. Air Force Space Command and the North American Aerospace Defense Command. People outside the White House have described purchasing Greenland as an Alaska-type acquisition for Mr. Trump's legacy, advisers said. The few current and former White House officials who had heard of the notion described it with a mix of anticipation and apprehension, since it remains unknown how far the president might push the idea. It generated a cascade of questions among his advisers, such as whether the U.S. could use Greenland to establish a stronger military presence in the Arctic, and what kind of research opportunities it might present. The report says that Trump told associates he had been advised to look into buying Greenland because Denmark faced financial trouble from supporting the territory. The person who told the Journal about Trump's comments said they seemed like more of a joke about his power than a serious inquiry. According to U.S. and Danish government statistics, Greenland relies on $591 million of subsidies from Denmark annually, which make up about 60% of its annual budget.

Unique Kaspersky AV User ID Allowed 3rd-Party Web Tracking

Thu, 08/15/2019 - 11:30
Kaspersky antivirus solutions injected in the web pages visited by its users an identification number unique for each system. This started in late 2015 and could be used to track a user's browsing interests. From a report: Versions of the antivirus product, paid and free, up to 2019, displayed this behavior that allows tracking regardless of the web browser used, even when users started private sessions. Signaled by c't magazine editor Ronald Eikenberg, the problem was that a JavaScript from a Kaspersky server loaded from an address that included a unique ID for every user. Scripts on a website can read the HTML source and glean the Kaspersky identifier, which Eikenberg determined to remain unchanged on the system.

Cloudflare Says Cutting Off Customers Like 8chan is an IPO 'Risk Factor'

Thu, 08/15/2019 - 10:50
Networking and web security giant Cloudflare says the recent 8chan controversy may be an ongoing "risk factor" for its business on the back of its upcoming initial public offering. From a report: The San Francisco-based company, which filed its IPO paperwork with the U.S. Securities and Exchange Commission on Thursday, earlier this month took the rare step of pulling the plug on one of its customers, 8chan, an anonymous message board linked to recent domestic terrorist attacks in El Paso, Texas and Dayton, Ohio, which killed 31 people. The site is also linked to the shootings in New Zealand, which killed 50 people. 8chan became the second customer to have its service cut off by Cloudflare in the aftermath of the attacks. The first and other time Cloudflare booted one of its customers was neo-Nazi website The Daily Stormer in 2017, after it claimed the networking giant was secretly supportive of the website. "Activities of our paying and free customers or the content of their websites and other Internet properties could cause us to experience significant adverse political, business, and reputational consequences with customers, employees, suppliers, government entities, and other third parties," the filing said. "Even if we comply with legal obligations to remove or disable customer content, we may maintain relationships with customers that others find hostile, offensive, or inappropriate."

Trump Administration Asks Congress To Reauthorize NSA's Deactivated Call Records Program

Thu, 08/15/2019 - 10:10
Breaking a long silence about a high-profile National Security Agency program that sifts records of Americans' telephone calls and text messages in search of terrorists, the Trump administration on Thursday acknowledged for the first time that the system has been indefinitely shut down -- but asked Congress to extend its legal basis anyway. From a report: In a letter to Congress delivered on Thursday and obtained by The New York Times, the administration urged lawmakers to make permanent the legal authority for the National Security Agency to gain access to logs of Americans' domestic communications, the USA Freedom Act. The law, enacted after the intelligence contractor Edward J. Snowden revealed the existence of the program in 2013, is set to expire in December, but the Trump administration wants it made permanent. The unclassified letter, signed on Wednesday by Dan Coats in one of his last acts as the director of National Intelligence, also conceded that the N.S.A. has indefinitely shut down that program after recurring technical difficulties repeatedly caused it to collect more records than it had legal authority to gather. That fact has previously been reported, but the administration had refused to officially confirm its status.