Peer-To-Peer News - The Week In Review - November 17th, '12

[JackSpratts]

Since 2002


































"You know how it goes with Demonoid. It might take a while but it will come back." – Site Admin


"Let’s say you’re on AOL. All I need to do is go to the website and supply your name plus maybe the city you were born in, info that’s easy to find in the age of Google. With that, AOL gives me a password reset, and I can log in as you." – Mat Honan



































November 17th, 2012




Parents Not Liable for Their Son's Illegal Music Sharing, German Court Rules

The parents were not obliged to monitor their child's Internet usage, the court ruled
Loek Essers

A German couple are not liable for the filesharing activities of their 13-year old son because they told him unauthorized downloading and sharing of copyrighted material was illegal, and they were not aware the boy violated this prohibition, the German Federal Court of Justice ruled on Thursday.

The parents met their parental obligations supervising a normally developed 13-year-old child by teaching him that filesharing is unlawful, the Federal Court of Justice ruled. The parents were not obliged to check up on the boy, or monitor his Internet behavior.

"Parents are in principal not obliged to monitor the child's Internet usage, to check the child's computer or to (partially) obstruct the child's access to the Internet," the court found. Parents are only committed to such measures when they have reasonable grounds to suspect their child is engaging in infringing activity when using the Internet, it added.

The parents were sued by record producers that hold the exclusive copyright to songs shared by the boy. In 2007, one of the producers discovered that 1,147 songs were offered for download at an IP-address that could be traced back to the parents of the boy, the court said.

When their home was searched, the son's PC was seized and on the computer the filesharing programs "Morpheus" and "Bearshare" were found. After that, the plaintiffs asked the parents of the boy to sign a cease and desist request to get them to agree to stop the filesharing now and in the future. The parents signed the request, but they refused to pay damages or legal costs.

While the boy shared over a thousand songs, the lawsuit was over 15 recordings for which the producers demanded ¬200 (US$255) per title or ¬3,000 in total, plus ¬2,380 in legal costs.

The ruling of the Federal Court of Justice reversed a ruling of the higher regional court of Cologne, which found the parents were liable for the illegal filesharing because they failed to fulfill their parental supervision. That court said the parents could have installed a firewall on their son's computer as well as a security program that would have made it possible to only allow the child to install software with the consent of his parents.

Besides that, the parents could have checked their son's PC once a month, and then the parents would have spotted the Bearshare icon on the computers' desktop, according to the Cologne court. "The Federal Court overturned the decision of the Appeal Court and dismissed it," the court said.

The Federal Court did not respond to a request for comment.
http://www.pcworld.idg.com.au/articl...court_ rules/





Draconian Downloading Law In Japan Goes Into Effect... Music Sales Drop
Mike Masnick

For years, we've pointed out that some in the music industry get so obsessed with "stopping piracy" that they miss the fact that their main job should be to increase revenue. They make the huge mistake of assuming that the two things are the same -- and that "stopping piracy" automatically leads to "increased revenue." Yet, almost every time that issue is explored empirically (over time), it doesn't seem to hold up. The latest example was sent in by Techdirt reader edinjapan, and it concerns the new draconian anti-piracy laws that recently went into effect there. If you believed the basic theory behind this law, this would mean that greater enforcement by police would mean less piracy... and a massive influx in revenue.

Except, the reality is that consumers are spending less on music than they were before the bill became law. The article actually posits that the government has made some people so fearful of being arrested that they won't do any downloading from legitimate sources any more -- just in case it's tainted. So even if they can cut out piracy (doubtful) there's little evidence to suggest much increase in commerce as a result.
https://www.techdirt.com/articles/20...les-drop.shtml





China Slams "Distorted" View of Copyright Piracy Problem
Ben Blanchard

China's top official in charge of fighting copyright piracy on Sunday slammed what he said was deliberate distortion of the problem by the Western media caused by the country's poor global image, saying important facts had been ignored.

Foreign governments, including the United States, have for years urged China to take a stronger stand against pervasive violations of intellectual property rights on products ranging from medicines to software to DVD movies sold on the street.

The United States in April again put China, along with Russia, on its annual list of countries with the worst records of preventing the theft of copyrighted material and other intellectual property.

But Tian Lipu, head of China's State Intellectual Property Office, said the government's efforts were being ignored.

"Speaking honestly, there is a market. People use and buy pirated goods," Tian told reporters on the sidelines of a landmark Communist Party congress.

"To a large extent, China's intellectual property rights protection image has been distorted by Western media.

"China's image overseas is very poor. As soon as people hear China they think or piracy and counterfeiting -- (Beijing's) Sanlitun, that place in Shanghai, Luohu in Shenzhen," he said, referring to places notorious for selling fake goods.

"We don't deny (this problem), and we are continuing to battle against it," Tian added.

But other facts were overlooked, he said.

"For example, China is the world's largest payer for patent rights, for trademark rights, for royalties, and one of the largest for buying real software," he said. "We pay the most. People rarely talk about this, but it really is a fact. Our government offices, our banks, our insurance companies, our firms ... the software is all real."

Microsoft Corp and other members of the Business Software Alliance in the United States complain that nearly 80 percent of the software installed on personal computers in China is pirated.

Tian said that if companies like Apple Inc were so worried by piracy they would never choose China for their production bases.

"Of the goods made for Apple, most are made in China. Once Apple's brand is added to it and it is exported to the United States its value doubles," he said.

"This could only happen because China's intellectual property rights environment sets foreign investors at ease allowing them to come to China to manufacture."

The International Intellectual Property Alliance, a U.S. coalition of film, software, music and publishing groups, estimates that U.S. companies lost more than $15 billion in 2009 due to international copyright theft.

About $14 billion of the total was due to software piracy, with an estimated $3.5 billion in losses in China and $1.4 billion in Russia.

(Editing by Ron Popeski)
http://www.reuters.com/article/2012/...8AA04620121111





Russia Hits File-Sharing Websites
Olga Razumovskaya

The Russian government briefly blocked two large websites that are a gateway to hundreds of thousands of movies, music, books and software, although not in an attempt to protect intellectual property rights, which is rare in Russia.

Instead, the sites were blocked as result of a controversial law aimed at regulating the Internet.

Hastily adopted by the Russian parliament, the law took effect on Nov. 1 and is officially aimed at protecting children by targeting sites that contain child pornography, that may prompt people to commit suicide, or provide information on narcotics. Critics say the law’s phrasing is vague, opening up the possibility for websites of the Kremlin’s critics to be blocked.

This week, however, the law was used to block popular Russian website RuTracker.org, which, like the famous PirateBay, allows for file sharing directly between Internet users. A popular Russian-language electronic library based in Equador, Librusek at lib.rus.ec, was also entered into the registry of websites with potentially harmful content.

RuTracker said it was banned for containing the “Encyclopedia of suicide,” an empty file with no encyclopedia in it. Librusek was put on the online registry of banned content at http://zapret-info.gov.ru for the “Anarchist Cookbook,” a book with instructions on how to manufacture explosives and drugs at home.

One of the sites said it had expected the move.

“It would be naive to think that such a wise state initiative will leave us aside and as one should expect, it didn’t,” the administration of RuTracker wrote on its blog on Monday when the site entered the registry. Librusek could not be reached for comment.

Russia’s telecommunications and media regulator, Roskomnadzor, put both services on the banned websites registry Monday without officially providing any reasons. By Tuesday, the services were back online.
http://blogs.wsj.com/emergingeurope/...ring-websites/





Demonoid Is Back, BitTorrent Tracker is Now Online
Ernesto

After three and a half months of downtime Demonoid’s tracker is now back online. The unexpected revival of the tracker is the first sign of life in weeks and suggests that the Demonoid team is working to bring the full site back online. While the index and forum remain offline, the many thousands of torrents tracked by Demonoid have been brought back to life.

When Demonoid went down at the end of July the site’s admin blamed a DDoS attack. This initial attack resulted in a series of problems that were not easy to fix.

However, at the time the tech admin of the site was determined to get the site back online.

“You know how it goes with Demonoid. It might take a while but it will come back,” the admin told us.

This was easier said than done though, and things went from bad to worse when Demonoid’s hosting provider Colocall pulled the plug following pressure from Interpol. But despite the site’s entanglement in a criminal investigation, Demonoid’s users never gave up hope that the site would return.

Today, this hope appears to be justified as the first step towards a comeback was been made. A few hours ago Demonoid’s tracker was kicked back into action.

It may not come as a surprise that Demonoid is no longer with its former hosting company in the Ukraine. It appears that they have moved to Hong Kong instead, judging from the IP-address linked to the tracker.

While the news of the revived tracker will delight many Demonoid users, it may take some time before the site itself returns, if that’s the plan. In 2007 and 2009 Demonoid suffered similar downtime episodes and at the time the tracker reappeared several weeks before the site.

When the DDoS hit Demonoid late July the site also suffered from an “exploit of sorts” which caused some damage. It is unclear whether this has been resolved at this point. The admin told us at the time that if the site did indeed return, it might move over to the new code they had been testing for a while.

Time will tell if that’s indeed the case.

TorrentFreak has asked Demonoid’s tech admin for a comment on the tracker comeback and the possible return of the website, and we’ll update this article once we receive a response.
https://torrentfreak.com/demonoid-is...online-121112/





Verizon Will Reduce Speeds of Repeated BitTorrent Pirates
Ernesto

At the end of this month the controversial “six-strikes” anti-piracy system will kick off in the U.S., and today two of the participating Internet providers have been discussing what measures they will take against repeated BitTorrent pirates. Verizon plans to notify alleged pirates via email and voice-mail, and will throttle the connection speeds of repeated infringers. Time Warner Cable will warn subscribers through popups and restrict users’ Internet browsing by directing them to a landing page.

Last year the MPAA and RIAA teamed up with five major Internet providers in the United States to launch the Center for Copyright Information (CCI).

The parties agreed on a system through which subscribers are warned that their copyright infringements have been observed by rightsholders. After several warnings ISPs may then take a variety of repressive measures to punish the alleged infringers.

From leaked AT&T training documents we learned that the company will block users’ access to popular websites until they complete a copyright education course. However, none of the participating Internet providers have publicly commented on the measures they plan to take, until now.

During a panel discussion hosted by the New York Chapter of the Internet Society, Verizon and Time Warner Cable unveiled details of their plans.

Link Hoewing, Vice President of Internet and Technology Issues for Verizon, said his company will employ a three stage process. The first two alerts will result in a simple notification email informing the users that their connection has been flagged for copyright infringements.

After the second warning comes the acknowledgment phase in which a popup is delivered users. Once received subscribers are required to read and confirm, a process designed to ensure that they are aware of the unauthorized sharing that’s taking place via their account.

If the infringements continue punishments become a reality on the fifth and the sixth alerts. Hoewing said that these repeated infringers will have their Internet connections throttled resulting in significantly slower download speeds. The throttling is temporary and will be lifted after two or three days.

Fernando Laguarda, Time Warner Cable’s Vice President of External Affairs, said his company will take a slightly different approach. The notification and acknowledgment phases are fairly similar, but instead of reducing connection speeds they will restrict users’ Internet browsing by directing them to a landing page.

Laguarda did not explain in detail for how long users will be restricted or what websites they will be able to reach, if any.

CCI’s Executive Director Jill Lesser, who also participated in the panel, stressed that the main purpose of the alerts is to educate the public. The participating parties realize that determined individuals can circumvent the system by using a VPN or switching to other means of file-sharing that are not tracked under the agreement.

“Yes, there are ways around it, and yes there are other ways to pirate,” Lesser said, adding that these hardcore pirates are not the target of the system.

Finally, Lesser said that only large ISPs were invited to join the copyright alert system to make it easier to come to an agreement. However, now that everything is ready to be set in motion, the CCI is planning to invite other Internet providers.

Whether other providers will be eager to join remains to be seen. A Cox spokesperson previously told TorrentFreak that his company was invited but “decided not to participate for internal reasons.”
https://torrentfreak.com/verizon-wil...irates-121115/





How The Copyright Industry Drives A Big Brother Dystopia
Rick Falkvinge

All too often, I hear that the copyright industry doesn’t understand the Internet, doesn’t understand the net generation, doesn’t understand how technology has changed. This is not only wrong, it is dangerously wrong. In order to defeat an adversary, you must first come to understand their state of mind, rather than painting them as evil. The copyright industry understands exactly what the Internet is, and that it needs to be destroyed for that industry to stay even the slightest relevant.

Look at the laws being proposed right now. General wiretapping. Mandatory citizen tracking. Excommunication, for Odin’s sake. Sending people into exile. All these laws follow one single common theme: they aim to re-centralize the permission to publish ideas, knowledge, and culture, and punish anybody who circumvents the old gatekeepers’ way beyond proportion.

Having this gatekeeper position – having had this gatekeeper position – teaches somebody what power is, in the worst sense of the word. If you can determine what culture, knowledge, and ideas are available to people – if you are in a position to say yes or no to publishing an idea – then it goes much beyond the power of mere publishing. It puts you in a position to select. It puts you in a position where you get to decide people’s frame of reference. It literally gives you the power to decide what people discuss, feel, and think.

The ability to share ideas, culture, and knowledge without permission or traceability is built into the foundations of the net, just as it was when the Postal Service was first conceived. When we send a letter in the mail, we and we alone determine whether we identify ourselves as sender on the outside of the envelope, on the inside for only the recipient to know, or not at all; further, nobody may open our sealed letters in transit just to check up on what we’re sending.

The Internet mimics this. It is perfectly reasonable that our children have the same rights as our parents did here. But if our children have those same rights, in the environment where they communicate, it makes a small class of industries obsolete. Therefore, this is what the copyright industry tries to destroy.

They are pushing for laws that introduce identifiability, even for historic records. The copyright industry has been one of the strongest proponents of the Data Retention Directive in Europe, which mandates logging of our communications – not its contents, but all information about whom we contacted when and how – for a significant period of time. This is data that used to be absolutely forbidden to store for privacy reasons. The copyright industry has managed to flip that from “forbidden” to “mandatory”.

They are pushing for laws that introduce liability on all levels. A family of four may be sued into oblivion by an industry cartel in a courtroom where presumption of innocence doesn’t exist (a civil proceeding), and they’re pushing for mail carriers to be liable for the contents of the sealed messages they carry. This goes counter to centuries of tradition in postal services, and is a way of enforcing their will extrajudicially – outside the courtroom, where people still have a minimum of rights to defend themselves.

They are pushing for laws that introduce wiretapping of entire populations – and suing for the right to do it before it becomes law. Also, they did it anyway without telling anybody.

They are pushing for laws that send people into exile, cutting off their ability to function in society, if they send the wrong things in sealed letters.

They are pushing for active censorship laws that we haven’t had in well over a century, using child pornography as a battering ram (in a way that directly causes more children to be abused, to boot).

They are pushing for laws that introduce traceability even for the pettiest crimes, which specifically includes sharing of culture (which shouldn’t be a crime in the first place). In some instances, such laws even give the copyright industry stronger rights to violate privacy than that country’s police force.

With these concepts added together, they may finally – finally! – be able to squeeze out our freedom of speech and other fundamental rights, all in order to be able to sustain an unnecessary industry. It also creates a Big Brother nightmare beyond what people could have possibly imagined a decade ago. My undying question is therefore why people waltz along with it instead of smashing these bastards in the face with the nearest chair.

For instance, we hear that ISPs in the United States of America will start to serve the copyright industry in the treatment of its own customers, up until and including a possible exile of them as citizens, and most likely scrapping their right to anonymity for the already-going industry game of sue-a-granny.

This is bound to become a textbook example of bad customer relationships in future marketing books: making sure that your customers can be sued into oblivion by entire industry organizations in a rigged game where they’re not even innocent until proven guilty. Seriously, what were the ISPs thinking?

Today, we exercise our fundamental rights – the right to privacy, the right to expression, the right to correspondence, the right to associate, the right to assemble, the right to a free press, and many other rights – through the Internet. Therefore, anonymous and uncensored access to the Internet has become as fundamental a right itself as all the rights we exercise through it.

If this means that a stupid industry that makes thin round pieces of plastic can’t make money anymore, they can go bankrupt for all I care, or start selling mayonnaise instead.

That’s their problem.
http://falkvinge.net/2012/11/12/how-...ther-dystopia/





Enfour, Inc. Screws Up Big Time, Makes Dictionary App Auto-Post False Accusations On Users’ Twitter Accounts
Andreas Ødegård

Software piracy. It’s a bad thing, it’s cost Android a lot in apps that never make it there, and it’s a fairly large problem on iOS too. A big enough problem, in fact, that the developr of the Oxford Deluxe dictionary app – a $55 app mind you – decided to do something about it. Exactly what, I don’t know, but here’s what happened to me just now:

I sat down to grade papers for an English class, and loaded up the dictionary app I’ve been using for ages to check a word. I got asked for access to my Twitter account, declined, and was thrown out of the app. Again and again. OK, I thought, apparently some update means the app now requires access – nothing new, apps need location access to access photos, and I don’t plan on sharing any words on Twitter anyways, so why not. I checked my word, went back to grading.

A few minutes later, I get a Twitter notification email about someone replying to my tweet. What tweet? This one:

How about we all stop using pirated iOS apps? I promise to stop. I really will. #softwarepirateconfession

Only problem was, I never sent it. It didn’t take me long to figure out what had happened, and I started looking around a bit. Turns out it’s happening all over the place. Just check the tag.

So are we all software pirates? No. I still have the receipt email from August 18 2010 to prove that I paid the $50 for this app, as I do with all my apps. I have Installous, a jailbreak app for installing pirated apps, installed, but have only ever used it once: When Scanner Pro, which I also legally own, introduced a bug in the app that made the app stop working completely on my device. Installous lets you browse a list of available pirated versions of the app, which also means you can use it to go back to an older version of an app you legally own. This is otherwise impossible in iOS, unlike on Android.

I don’t know if there’s a relation there, but I assume so. If I were to guess, I assume the developer got tired of having the $50 app stolen, included a check for Installous, and simply forgot to actually add a method to see if the users had used it for the app in question. Whops?

There’s a new update out for this app, dated November 1. It says to “Update now! Very important,” but gives no reason. This is a 340MB app, it’s not something I update for no reason. Well, I found out the reason, now didn’t I!

You don’t accidentally include a feature that asks for Twitter access and then uses that access to accuse the owner of software piracy. That’s put in there deliberately, and it’s just the trigger that’s off. It doesn’t matter. This is illegal. I take this very seriously, especially because I paid 50 freaking dollars for this app, and I intend to pursue the matter. All previous mentions of this app on this site have been removed. The review has been removed, the app is no longer in my education guide, etc. There are certain things one has to have zero tolerance for, and this is one of them. I also intend to submit a complaint to Apple and hopefully get this idiot of a developer banned from the app store for good. I also encourage everyone to boycott the developer, Enfour, inc.
http://www.pocketables.com/2012/11/e...-accounts.html





Louis CK to Offer HBO Show as DRM-Free Download, Chip Away at Cable Content Deals
Jon Fingas

With certain exceptions, HBO has developed a reputation for being protective of where and how its content goes digital. That makes Louis CK's plans for a 2013 comedy special a slight jolt to the system, even though it's not his first digital release linked to the channel. While HBO will get a first crack at airing the show, which will be recorded during Louis' ongoing tour, the comedian now plans to post the production online a few months afterwards using the same successful formula that has become his calling card: $5, no DRM and no region restrictions. The offering doesn't overhaul the industry, but it undoubtedly wrests control from the network as soon as the download link goes live. Think of Louis as making a small crack in cable TV's content wall.
http://artsbeat.blogs.nytimes.com/20...coming-to-hbo/





Bleak Future for Swedish Cinemas: Expert

A growing number of Swedish cinemas have had their final curtain call, with 25 percent closing down in the past ten years, a trend experts believe will continue.

"The decline of cinemas in rural areas can be explained by recent urbanization, as well as the bankruptcy of Astoria Cinemas in 2007," Torkel Stål, analyst at the Swedish Film Institute (SFI), told The Local.

The decline has seen 139 cinemas close down in the country since 2001, taking Sweden's total to just 478, according to SFI's statistics.

SF Bio, which is owned by the Bonnier Group, has long been the leading cinema chain in Sweden.

It operates 35 cinemas with a 244 screens in over 20 cities across the country after taking over from Astoria Cinema's provincial theatres in 2007.

Västernorrland and Dalarna, two counties in north of Sweden, are the areas where the heaviest decrease has occurred, with nearly four out of ten cinemas vanishing within ten years.

SFI's statistics show that the greatest urbanization came from Västernorrland.

Blekinge County is the only county in Sweden to record an increase in cinema complexes in the last ten years, boasting seven now compared to only six in 2001.

“Statistics from 2001 show the number of cinemas in Stockholm county have decreased from 40 to 29,” Stål said.

The number of actual theatres, however, has stayed at 116, he added.

The decline has nothing to do with people not wanting to go to the cinemas, if anything the number of people buying tickets has increased, Stål explains.

Stål believes the future of Swedish cinemas will include a continued decline of complexes, but that the number of cinema screens and visits will increase.

While Stål confessed that people downloading films online has had an effect on cinema figures, he claimed it did not influence closure figures.
http://www.thelocal.se/44474/20121116/





"Involuntary Porn" Site Tests the Boundaries of Legal Extortion

Site posts leaked nude photos without consent, charges $250 to take them down.
Timothy B. Lee

In the era of Polaroid cameras, you didn't have to worry too much about a racy snapshot you took in the privacy of your bedroom becoming available to the general public. But thanks to the rise of digital cameras and the Internet, that's now a real risk. Hackers, disgruntled exes, and other vindictive individuals who gain access to your compromising digital snapshots can share them with the world with a single click.

Recently, a number of websites have sprung up to cash in on the public humiliation of others. One of the first such sites was IsAnyoneUp, which solicited nude pictures of ordinary Americans submitted by third parties. To maximize the humiliation, the photos were posted along with identifying details such as name and home town. The site's owner, Hunter Moore, reportedly raked in thousands of dollars a month in advertising revenue, and he made the rounds on television talk shows defending his site.

Moore finally shuttered the site earlier this year, but others have jumped in to fill the sordid niche he pioneered. One such site is the creatively named IsAnybodyDown. Like the original, it features naked pictures of ordinary Americans, generally submitted without the subjects' consent, as well as personal information such as their names, hometowns, phone numbers, and screenshots of their Facebook pages.

Sleazy, yes—but is it extortion?

If you think IsAnyoneUp couldn't be any sleazier, then IsAnybodyDown's seems determined to prove you wrong. A link on IsAnybodyDown reading "Get Me Off This Site!" leads to the website of "Takedown Hammer," an "independent third party team" that, for a modest fee of $250, will "issue a successful content removal request on your behalf." It brags of 90 successful removals from IsAnybodyDown.com.

It seems pretty obvious that "Takedown Hammer" isn't actually independent of IsAnybodyDown. Indeed, copyright and First Amendment attorney Marc Randazza has found circumstantial evidence that IsAnybodyDown and Takedown Hammer are, in fact, both owned by a man named Craig Brittain.

Randazza has made taking down IsAnybodyDown a personal cause. "I want to hurt isanybodydown.com. I want to hurt them bad," Randazza wrote in a recent blog post. "If anyone out there has been scammed by these crooks, contact me," Randazza wrote. "I will represent you pro bono."

Is it even illegal to run a site like IsAnybodyDown? "Involuntary porn" sites are so new that the courts haven't really dealt with them before.

In an interview earlier this month, Randazza told us that his legal strategy would depend on the client, but that he would likely sue Brittain for copyright infringement. Depending on where the client lived, he said there were also likely to be private torts available under state law.

We asked Paul Alan Levy, a free speech lawyer at Public Citizen, whether a victim of IsAnybodyDown would have a case against the site. He drew a parallel to other cases that have dealt with allegedly extortionate websites.

For example, Levy cited litigation over the website PissedConsumer.com. It collects negative comments about businesses, posts them to its website, and then charges businesses for the "service" of making those negative reviews less conspicuous. Unsurprisingly, the businesses who get negative reviews aren't happy about PissedConsumer's business model, and one of them sued the site arguing that PissedConsumer—like IsAnybodyDown—is little more than an extortion racket.

PissedConsumer countered that it is protected by Section 230 of the Communications Decency Act, which grants website operators broad immunity for user-submitted content. This summer, a judge refused to dismiss a case under Section 230 because the plaintiff alleged that PissedConsumer itself had written some of the allegedly defamatory reviews. Section 230 immunity is only available for content submitted by third parties and posted in an automated fashion.

A similar issue is likely to be raised in any litigation over IsAnybodyDown. Both Section 230 and the similar safe harbor under the Digital Millennium Copyright Act provide immunity for user-submitted content. But it's not clear whether the content on IsAnybodyDown qualifies as user-submitted under either safe harbor. "This doesn't go up in an automated fashion," Randazza told us. "They have a direct influence over the content."

Even if a plaintiff establishes that IsAnybodyDown isn't eligible for the safe harbors, it's still not clear that a plaintiff could win an extortion case. "So far as I know, none of these extortion theories has ever been litigated to a decision," Levy told us.

And, Levy said, "Those theories make me very nervous. On the one hand, if it is purely extortionate, that seems bad." On the other hand, he worries that charges of extortion could be used to attack as a basis for frivolous litigation against more legitimate sites.

Levy had a similar perspective on copyright claims. The ability to sue would depend on who actually took the pictures. For example, if a photo were taken by a disgruntled ex-boyfriend, then the boyfriend, not the subject of the shot, would be the legal copyright holder. And he might not be interested in participating in a lawsuit. If the copyright holder did sue, the judge could issue an injunction ordering the photo to be removed and also awarding the plaintiff a "significant dollar amount" in damages.

Once again, while Levy said it was "hard to get too excited about the rights of the host of this site," he's worried about "the use of copyright law as an excuse to hammer Internet speakers when the real objection is to the content."
http://arstechnica.com/tech-policy/2...gal-extortion/





Internet Ban on Convicted Sex Offender 'Unreasonable', Rule Judges

Court of appeal's decision to uphold complaint over internet restriction could set precedent in hacking and fraud cases
Owen Bowcott

Banning anyone from the internet is an "unreasonable" restriction, two appeal court judges have ruled, suggesting that access to a computer at home has become a basic human right.

The decision by Mr Justice Collins and Judge Nicholas Cooke QC signals judicial recognition of how pervasive digital communications are in an era when a multitude of services can be obtained online.

The decision could prove a challenging precedent in computer hacking and fraud cases where suspects have frequently been banned from using computers for recreational purposes. At least one computer-hacking suspect, Jake Davis, has been prohibited from going online.

Upholding a complaint from a sex offender that he was being cut off from the world, the two judges declared it was "unreasonable nowadays to ban anyone from accessing the internet in their home".

Phillip Michael Jackson had been convicted of using a secret camera to film a 14-year-old girl in the shower. Jackson, 55, of Dartford, Kent, doctored a shampoo bottle and hid his mobile phone inside it to take the surreptitious video of the girl.

He was arrested after the youngster spotted a flashing light in the bottle. Police investigated and subsequently found hundreds of sexual images, featuring animals and children as young as four, stored on Jackson's computer.

He was sentenced to a community order with three years supervision at Woolwich crown court in June. He was also subjected to a sexual offences prevention order (Sopo), banning him from owning a computer, using a camera in public and coming into contact with children at work, and allowing the police to raid his home at any time.

His lawyers argued that the prevention order was unnecessary and disproportionate. When it was imposed the crown court judge had remarked that it should last until the day Jackson died.

Collins and Cooke, sitting in the court of appeal, overturned it and replaced it with an order that Jackson must make his internet history available for police viewing.

Collins told the court: "The judge imposing the Sopo said, 'I anticipate that you will die subject to this order – that is my wish anyway.' They were not appropriate remarks to have made."

He also criticised the "lurid language" used by the crown court judge, concluding that the order imposed on Jackson was "entirely excessive". He added: "Nowadays it is entirely unreasonable to ban anybody from accessing the internet in their home."
http://www.guardian.co.uk/technology...sonable-judges





Online Privacy Issue Is Also in Play in Petraeus Scandal
Scott Shane

The F.B.I. investigation that toppled the director of the C.I.A. and has now entangled the top American commander in Afghanistan underscores a danger that civil libertarians have long warned about: that in policing the Web for crime, espionage and sabotage, government investigators will unavoidably invade the private lives of Americans.

On the Internet, and especially in e-mails, text messages, social network postings and online photos, the work lives and personal lives of Americans are inextricably mixed. Private, personal messages are stored for years on computer servers, available to be discovered by investigators who may be looking into completely unrelated matters.

In the current F.B.I. case, a Tampa, Fla., woman, Jill Kelley, a friend both of David H. Petraeus, the former C.I.A. director, and Gen. John R. Allen, the top NATO commander in Afghanistan, was disturbed by a half-dozen anonymous e-mails she had received in June. She took them to an F.B.I. agent whose acquaintance with Ms. Kelley (he had sent her shirtless photos of himself — electronically, of course) eventually prompted his bosses to order him to stay away from the investigation.

But a squad of investigators at the bureau’s Tampa office, in consultation with prosecutors, opened a cyberstalking inquiry. Although that investigation is still open, law enforcement officials have said that criminal charges appear unlikely.

In the meantime, however, there has been a cascade of unintended consequences. What began as a private, and far from momentous, conflict between two women, Ms. Kelley and Paula Broadwell, Mr. Petraeus’s biographer and the reported author of the harassing e-mails, has had incalculable public costs.

The C.I.A. is suddenly without a permanent director at a time of urgent intelligence challenges in Syria, Iran, Libya and beyond. The leader of the American-led effort to prevent a Taliban takeover in Afghanistan is distracted, at the least, by an inquiry into his e-mail exchanges with Ms. Kelley by the Defense Department’s inspector general.

For privacy advocates, the case sets off alarms.

“There should be an investigation not of the personal behavior of General Petraeus and General Allen, but of what surveillance powers the F.B.I. used to look into their private lives,” Anthony D. Romero, executive director of the American Civil Liberties Union, said in an interview. “This is a textbook example of the blurring of lines between the private and the public.”

Law enforcement officials have said they used only ordinary methods in the case, which might have included grand jury subpoenas and search warrants. As the complainant, Ms. Kelley presumably granted F.B.I. specialists access to her computer, which they would have needed in their hunt for clues to the identity of the sender of the anonymous e-mails. While they were looking, they discovered General Allen’s e-mails, which F.B.I. superiors found “potentially inappropriate” and decided should be shared with the Defense Department.

In a parallel process, the investigators gained access, probably using a search warrant, to Ms. Broadwell’s Gmail account. There they found messages that turned out to be from Mr. Petraeus.

Marc Rotenberg, executive director of the Electronic Privacy Information Center in Washington, said the chain of unexpected disclosures was not unusual in computer-centric cases.

“It’s a particular problem with cyberinvestigations — they rapidly become open-ended because there’s such a huge quantity of information available and it’s so easily searchable,” he said, adding, “If the C.I.A. director can get caught, it’s pretty much open season on everyone else.”

For years now, as national security officials and experts have warned of a Pearl Harbor cyberattack that could fray the electrical grid or collapse stock markets, policy makers have jostled over which agencies should be assigned the delicate task of monitoring the Internet for dangerous intrusions.

Advocates of civil liberties have been especially wary of the National Security Agency, whose expertise is unrivaled but whose immense surveillance capabilities they see as frightening. They have successfully urged that the Department of Homeland Security take the leading role in cybersecurity.

That is in part because the D.H.S., if far from entirely open to public scrutiny, is much less secretive than the N.S.A., the eavesdropping and code-breaking agency. To this day, N.S.A. officials have revealed almost nothing about the warrantless wiretapping it conducted inside the United States in the hunt for terrorists in the years after 2001, even after the secret program was disclosed by The New York Times in 2005 and set off a political firestorm.

The hazards of the Web as record keeper, of course, are a familiar topic. New college graduates find that their Facebook postings give would-be employers pause. Husbands discover wives’ infidelity by spotting incriminating e-mails on a shared computer. Teachers lose their jobs over impulsive Twitter comments.

But the events of the last few days have shown how law enforcement investigators who plunge into the private territories of cyberspace looking for one thing can find something else altogether, with astonishingly destructive results.

Some people may applaud those results, at least in part. By having a secret extramarital affair, for instance, Mr. Petraeus was arguably making himself vulnerable to blackmail, which would be a serious concern for a top intelligence officer. What if Russian or Chinese intelligence, rather than the F.B.I., had discovered the e-mails between the C.I.A. director and Ms. Broadwell?

Likewise, military law prohibits adultery — which General Allen’s associates say he denies committing — and some kinds of relationships. So should an officer’s privacy really be total?

But some commentators have renewed an argument that a puritanical American culture overreacts to sexual transgressions that have little relevance to job performance. “Most Americans were dismayed that General Petraeus resigned,” said Mr. Romero of the A.C.L.U.

That old debate now takes place in a new age of electronic information. The public shaming that labeled the adulterer in Nathaniel Hawthorne’s “Scarlet Letter” might now be accomplished by an F.B.I. search warrant or an N.S.A. satellite dish.
https://www.nytimes.com/2012/11/14/u...s-privacy.html





Trying to Keep Your E-Mails Secret When the C.I.A. Chief Couldn’t
Nicole Perlroth

If David H. Petraeus couldn’t keep his affair from prying eyes as director of the Central Intelligence Agency, then how is the average American to keep a secret?

In the past, a spymaster might have placed a flower pot with a red flag on his balcony or drawn a mark on page 20 of his mistress’s newspaper. Instead, Mr. Petraeus used Gmail. And he got caught.

Granted, most people don’t have the Federal Bureau of Investigation sifting through their personal e-mails, but privacy experts say people grossly underestimate how transparent their digital communications have become.

“What people don’t realize is that hacking and spying went mainstream a decade ago,” said Dan Kaminsky, an Internet security researcher. “They think hacking is some difficult thing. Meanwhile, everyone is reading everyone else’s e-mails — girlfriends are reading boyfriends’, bosses are reading employees’ — because it’s just so easy to do.”

Face it: no matter what you are trying to hide in your e-mail in-box or text message folder — be it an extramarital affair or company trade secrets — it is possible that someone will find out. If it involves criminal activity or litigation, the odds increase because the government has search and subpoena powers that can be used to get any and all information, whether it is stored on your computer or, as is more likely these days, stored in the cloud. And lawyers for the other side in a lawsuit can get reams of documents in court-sanctioned discovery.

Still determined? Thought so. You certainly are not alone, as there are legitimate reasons that people want to keep private all types of information and communications that are not suspicious (like the contents of your will, for example, or a chronic illness). In that case, here are your best shots at hiding the skeletons in your digital closet.

KNOW YOUR ADVERSARY. Technically speaking, the undoing of Mr. Petraeus was not the extramarital affair, per se, it was that he misunderstood the threat. He and his mistress/biographer, Paula Broadwell, may have thought the threat was their spouses snooping through their e-mails, not the F.B.I. looking through Google’s e-mail servers.

“Understanding the threat is always the most difficult part of security technology,” said Matthew Blaze, an associate professor of computer and information science at the University of Pennsylvania and a security and cryptography specialist. “If they believed the threat to be a government with the ability to get their login records from a service provider, not just their spouse, they might have acted differently.”

To hide their affair from their spouses, the two reportedly limited their digital communications to a shared Gmail account. They did not send e-mails, but saved messages to the draft folder instead, ostensibly to avoid a digital trail. It is unlikely either of their spouses would have seen it.

But neither took necessary steps to hide their computers’ I.P. addresses. According to published accounts of the affair, Ms. Broadwell exposed the subterfuge when she used the same computer to send harassing e-mails to a woman in Florida, Jill Kelley, who sent them to a friend at the F.B.I.

Authorities matched the digital trail from Ms. Kelley’s e-mails — some had been sent via hotel Wi-Fi networks — to hotel guest lists. In crosschecking lists of hotel guests, they arrived at Ms. Broadwell and her computer, which led them to more e-mail accounts, including the one she shared with Mr. Petraeus.

HIDE YOUR LOCATION The two could have masked their I.P. addresses using Tor, a popular privacy tool that allows anonymous Web browsing. They could have also used a virtual private network, which adds a layer of security to public Wi-Fi networks like the one in your hotel room.

By not doing so, Mr. Blaze said, “they made a fairly elementary mistake.” E-mail providers like Google and Yahoo keep login records, which reveal I.P. addresses, for 18 months, during which they can easily be subpoenaed. The Fourth Amendment requires the authorities to get a warrant from a judge to search physical property. Rules governing e-mail searches are far more lax: Under the 1986 Electronic Communications Privacy Act, a warrant is not required for e-mails six months old or older. Even if e-mails are more recent, the federal government needs a search warrant only for “unopened” e-mail, according to the Department of Justice’s manual for electronic searches. The rest requires only a subpoena.

Google reported that United States law enforcement agencies requested data for 16,281 accounts from January to June of this year, and it complied in 90 percent of cases.

GO OFF THE RECORD At bare minimum, choose the “off the record” feature on Google Talk, Google’s instant messaging client, which ensures that nothing typed is saved or searchable in either person’s Gmail account.

ENCRYPT YOUR MESSAGES E-mail encryption services, like GPG, help protect digital secrets from eavesdroppers. Without an encryption key, any message stored in an in-box, or reached from the cloud, will look like gibberish. The intended recipient must get a key from the sender to read the message. The drawback is that managing those keys — which often involves writing them down — can be cumbersome. And ultimately, even though a message’s contents are unreadable, the frequency of communication is not. That is bound to arouse suspicions.

Wickr, a mobile app, performs a similar service for smartphones, encrypting video, photos and text and erasing deleted files for good. Typically, metadata for deleted files remains on a phone’s hard drive, where forensics specialists and skilled hackers can piece it back together. Wickr erases those files by writing gibberish over the metadata.

SET YOUR SELF-DESTRUCT TIMER Services like 10 Minute Mail allow users to open an e-mail address and send a message, and the address self-destructs 10 minutes later. Wickr also allows users to set a self-destruct timer for mobile communications so they can control how long a recipient can view a file before it disappears. But there is always the chance that your recipient captured screenshots.

DROP THE DRAFT FOLDER IDEA It may sound clever, but saving e-mails in a shared draft folder is no safer than transmitting them. Christopher Soghoian, a policy analyst at the American Civil Liberties Union, noted that this tactic had long been used by terrorists — Khaled Sheikh Mohammed, the mastermind of the 9/11 attacks, and Richard Reid, “the shoe bomber,” among them — and it doesn’t work. E-mails saved to the draft folder are still stored in the cloud. Even if they are deleted, e-mail service providers can be compelled to provide copies.

USE ONLY A DESIGNATED DEVICE Security experts suggest using a separate, designated device for sensitive communications. Of course, few things say philanderer, or meth dealer for that matter, like a second cellphone. (Watch “Breaking Bad.”)

GET AN ALIBI Then there is the obvious problem of having to explain to someone why you are carrying a pager or suddenly so knowledgeable about encryption technologies. “The sneakier you are, the weirder you look,” said Mr. Kaminsky.

DON’T MESS UP It is hard to pull off one of these steps, let alone all of them all the time. It takes just one mistake — forgetting to use Tor, leaving your encryption keys where someone can find them, connecting to an airport Wi-Fi just once — to ruin you.

“Robust tools for privacy and anonymity exist, but they are not integrated in a way that makes them easy to use,” Mr. Blaze warned. “We’ve all made the mistake of accidentally hitting ‘Reply All.’ Well, if you’re trying to hide your e-mails or account or I.P. address, there are a thousand other mistakes you can make.”

In the end, Mr. Kaminsky noted, if the F.B.I. is after your e-mails, it will find a way to read them. In that case, any attempt to stand in their way may just lull you into a false sense of security.

Some people think that if something is difficult to do, “it has security benefits, but that’s all fake — everything is logged,” said Mr. Kaminsky. “The reality is if you don’t want something to show up on the front page of The New York Times, then don’t say it.”
https://www.nytimes.com/2012/11/17/t...f-couldnt.html





UK PM 'Orders New Curbs on Internet Porn'

David Cameron has ordered tough new controls on web pornography to protect children, it has been reported.

The new measures will mean that in future anyone buying a new computer or signing up with a new internet service provider (ISP) will be asked, when they log on for the first time, whether they have children.

If the answer is "yes", the parent will be taken through the process of installing anti-pornography filters, as well as a series of questions on how stringent they wish the restrictions to be, according to a newspaper.

The options include allowing parents to impose timed access limits on explicit material, or preventing children from viewing social networking sites such as Facebook during particular hours of the day.

Ministers will also tell ISPs to impose "appropriate measures" to make sure that those setting the controls are over 18, according to the Daily Mail.

They will also be told to prompt existing customers to install the technology to block pornography.

The measures, which are expected to be unveiled by the Government later this month, go further than recommendations drawn up by Reg Bailey, head of the Mother's Union, who was asked by ministers to look into the matter.

Ministers are expected to tell ISPs that they must bring in the new rules or face legislation

A Downing Street source told the Mail: "We know lots of parents are concerned about the material their children are accessing on the internet and we want to do more to help. We've consulted on a variety of options on how we can make it safer for children online.

"Internet service providers have made great progress to date in implementing 'active choice' controls, as recommended by Reg Bailey, where all users are asked if they want to switch on parental controls.

"After intervention from the Prime Minister, the Government is urging providers to go one step further and make sure their systems actively encourage parents, whether they are new or existing customers, to switch on parental controls."
http://www.telegraph.co.uk/technolog...rnet-porn.html





Chinese Authorities Putting Pressure on Businesses to Help Censor the Web
Jonathan Ansfield

As the Chinese cyberpolice stiffened controls on information before the Communist Party leadership transition taking place this week, some companies in Beijing and nearby cities received orders to aid the cause.

Starting earlier this year, Web police units directed the companies, which included joint ventures involving American corporations, to buy and install hardware to log the traffic of hundreds or thousands of computers, block selected Web sites, and connect with local police servers, according to industry executives and official directives obtained by The New York Times. Companies faced the threat of fines and suspended Internet service if they did not comply by prescribed deadlines.

The initiative was one in a range of shadowy tactics authorities deployed in the months leading up to the 18th Party Congress, which is scheduled to end on Wednesday, in an escalating campaign against information deemed threatening to party rule. The effort, while spottily executed, was alarming enough to spur one foreign industry association to lodge a complaint with the government. Several foreign companies quietly resisted the orders, which posed risks to communications and trade secrets that they take pains to secure.

The events surrounding the party congress magnify the constant challenge facing China’s Internet security apparatus, which is to maintain the party’s lock on political power without choking off a wired China from the global economy.

The more intrusive recent measures appear aimed at plugging some of the gaps in China’s nexus of surveillance and censorship, sometimes termed the “great firewall.”

“It goes this way pretty much every time there’s some big political event in Beijing: the DVDs are gone, the prostitutes are gone, and the Internet’s slower,” said David van Meerendonk, an American who operates an information technology company here. “They’re struggling to find a balancing point.”

Over the past couple of weeks, partial blocking has crippled access to Google and other sites, at times completely. It has also disrupted programs that many people here use to circumvent surveillance and reach blocked overseas sites by other means. Some Internet providers have cut service for hours, citing “maintenance.” Democracy activists and foreign journalists have reported increased attacks on their e-mail accounts.

On domestic social networks, already vigorously policed, censors have fine-tuned their craft. Sina Weibo, the nation’s most popular microblogging site, has experimented with “semi-censorship,”as one blog termed it, filtering search results for once-unsearchable terms. One semi-censored term was the Chinese shorthand for the party congress itself: shiba da. Blocking it had prompted some of China’s more playful microbloggers to resort to a similar-sounding English substitute: “Sparta.”

Hu Jintao, China’s departing leader, in his report on the opening day of the congress last Thursday, gave no sign of any relaxation in controls. “We should strengthen social management of the Internet and promote standardized and orderly network operation,” he said.

The police and other agencies rely on legions of local censors, automated filtering and strict regulation of Internet service providers.

GreatFire.org, a Chinese-based blog that tracks government filtering, found in tests this month that Google e-mail was being partly blocked, and that blocking intensified after the congress began. One possible explanation for the strategy was that “authorities are nervous of fully blocking Gmail,” it said. “The government may be scared of a backlash from the urban, educated and young people who tend to use Gmail, not to mention the businesses that rely on it.”

In late summer, the police stepped up jamming on circumvention software, according to two party insiders with Chinese security ties. Students who use Freegate, free software backed by the banned spiritual movement Falun Gong, said that as early as August they experienced unusually frequent disruptions.

China says its online security policies are needed to fight pervasive fraud, cyberattacks, pornography and rumormongering.

But many of the controls seem aimed more at checking antigovernment activity. And the latest effort to enlist business represents a new front for the systems, already installed at many hotels, schools and coffee chains. Many corporations, especially foreign companies, use encryption and circumvention technologies to safeguard communications, allowing local employees to use blocked Web sites and skirt police surveillance.

This past summer, the Internet police in the provinces of Hebei and Shandong ordered three American companies to install the monitoring systems at local joint ventures, according to a spokesman for the Quality Brands Protection Committee, a foreign industry group representing more than 200 major corporations operating in China.

Elsewhere, American, Japanese and Korean companies received similar orders, executives said. They requested anonymity because they were not authorized to speak for their companies and feared compromising local business relationships.

The orders, first reported by CNN, cited existing regulations and designated vendors. The police in the Hebei city of Qinhuangdao notified one company that it would face a fine of 15,000 renminbi, or about $2,400, and lose Internet service for half a year if it did not install the system by mid-August.

Technology specialists warned that foreign companies installing the devices could be directly exposed to intellectual property theft and cyberattacks.

“This box, in addition to being able to monitor any queries about Tiananmen Square or Tibet or the Dalai Lama, also would be able to intercept all network communications from the China operations back to headquarters,” said Thomas Parenty, an information security consultant for foreign companies in China.

The Quality Brands committee spokesman said he believed the initiative amounted to overzealous local enforcement rather than national policy. The group has raised its concerns with the police and commerce ministries.

The ministries did not respond to questions.

Sometimes, enforcement seemed superficial. “I said, ‘We don’t have a network, so I could not use the piece of equipment,’ ” said the manager of one Western company, recalling the day the Beijing police tried to carry out the directive.

“He said, ‘Just sign.’ So I did,” the manager added. “I did not buy any equipment. I think the idea was to create fear that they can and will check.”
https://www.nytimes.com/2012/11/14/w...ensor-web.html





Obama Considering Prominent SOPA Supporter for Cabinet
Kevin Collier

President Obama is reportedly considering appointing one of the biggest supporters of the Stop Online Piracy Act (SOPA) as his new Secretary of State.

Howard Berman (D-Calif.), who represented the Hollywood area in Congress from 1982 until the 2012 election, when he was challenged and defeated by a fellow Democrat, is notorious among activists for his support of SOPA, a bill that was heavily sponsored by the Motion Picture Association of America (MPAA) and perceived to be so overzealous in shutting down Internet piracy that it was a threat to Internet freedom as a whole. The film industry has a long history of lobbying politicians, and gave $407,260 to Berman the past two years alone, according to Maplight.org.

SOPA never came to a vote when it was brought before Congress in January. A massive Internet strike against the bill, which included scores of Americans calling their representatives in Congress, led to a number of representatives renouncing their co-sponsorship. Berman was both an early supporter of SOPA and one of the remaining co-sponsors of the bill after it became clear it wouldn’t pass. The head of the MPAA, former Sen. Chris Dodd, infamously threatened to cut funding to candidates who didn’t keep supporting the bill.

Activist group Demand Progress recognized the possibility of Obama appointing Berman, and its members have created a petition against Berman getting the job. “If the United States really cares about global Internet freedom, there couldn’t be a worse pick for Secretary of State than Berman, who’s repeatedly tried to censor the web at Hollywood’s behest,” Demand Progress says.

Obama, it bears noting, officially decried SOPA a few days before it was shelved, though he’s not made Internet freedom a priority as of late.
https://mashable.com/2012/11/13/obam...d-berman-sopa/





An Anti-IP Turn for the GOP?
(UPDATE: RSC Disowns and Pulls the Brief)
Jordan Bloom

It’s often said that the Republican Party as an institution is generally more pro-business than pro-market, and that implies a host of things; energy subsidies, tax loopholes, and though it often goes unmentioned, strong intellectual property protection.

The pro-IP lobby in Washington is robust, though perhaps the new presence of the Internet Association, a lobbying group comprised of web companies, could put some counter-pressure on lawmakers.

But from a policy standpoint, in an age when the RIAA sues grannies and innocent parents of torrenting children to intimidate file-sharers, and tech companies waste billions on patent trolling, perhaps it might be time for the GOP to consider a more authentically laissez faire approach.

It appears they are. A Republican Study Committee policy brief released today to members of the House Conservative Caucus and various think tanks lays out “three myths about copyright law” and some ways to go about correcting what many see as a broken system. Derek Khanna, the RSC staffer who authored the paper, acknowledges an important role for intellectual property while also pointing out how badly the current system has gone off track.

The paper also suggests four potential solutions:

1. Statutory damages reform — in other words, saving granny the legal headaches
2. Expand fair use — set those DJs free!
3. Punish false copyright claims
4. Heavily limit copyright terms, and create disincentives for renewal

That would be a heck of a start towards making copyright actually incentivize innovation, rather than stifling it, as it most often does today.

It’s great to at least see this issue discussed in a substantive way–complaints about rigid IP protections have until now been limited to folks like Sen. Ron Wyden. Surprise opposition to SOPA excepted, neither party has taken a strong public stance on copyright reform. If the paper suggests a new turn for the GOP on the issue–against the Chamber of Commerce and for Internet companies, DJs, and millions of consumers–that would certainly beat the protectionism of bought-off legislators like Bob Goodlatte (who knew the citizens of Roanoke had such a stake in strong IP?). Read the whole thing (it’s only nine pages, and easy to digest) here.

Update: The RSC has now taken down the brief and disowned it via this memo from Executive Director Paul Teller. Here’s a copy of that.

And the original paper: http://www.scribd.com/doc/113633834/...Property-Brief
http://www.theamericanconservative.c...n-for-the-gop/





Google, Facebook, Netflix Defend Net Neutrality Rules in Court
Brendan Sasso

A coalition of technology companies is coming to the aid of the Federal Communications Commission and urging a federal court to uphold the agency's net neutrality regulations.

In a brief filed on Thursday with the U.S. Court of Appeals for the D.C. Circuit, companies including Amazon, Dish Network, eBay, Facebook, Google, Netflix, Sony and Twitter argued that the regulations protect the openness of the Internet and encourage investment in broadband infrastructure.

The filing was intended to rebut the arguments of Verizon and MetroPCS, which are suing to overturn the rules.

The FCC enacted its net neutrality order in late 2010. The regulations prohibit Internet service providers from discriminating against legitimate websites. Cellphone carriers are barred from blocking apps that compete with their own services.

The purpose of the rules is to prevent Internet providers from speeding up access to websites that pay special fees, or to their own sites. There is also concern that without the rules, Internet providers could slow down or block their competitors' sites.
The supporters of the rules say all websites should be treated equally, whether they are large corporate services or small personal blogs.

In its lawsuit, Verizon argued that the FCC lacked the legal authority to enact the rules and that the agency acted without sufficient evidence to suggest the rules were necessary.

The company also claimed that the rules violate its First Amendment right to free speech.

But in Thursday's filing, the technology companies, which united to form the Open Internet Coalition, argued that the rules fall within the FCC's authority to "encourage the deployment" of broadband Internet services.

The companies argued that increasing demand for data-heavy Internet content, such as steaming movies and online video chatting, drives investment in broadband.

The brief argued that many companies that provide those data-heavy Internet services "have based decisions to embark on significant investments precisely upon the premise of non-discriminatory access to content."

"If demand for the Internet were to stop growing or to grow more slowly, this would likely deter investment in new conduits to the Internet," they wrote.

The companies said the order has already spurred investments in wireless and wireline broadband, making it "one of the levers propelling the U.S. economy out of the still-lingering economic crisis."

They argued that if Internet providers could act as gatekeepers to web services, innovative startups would be "marginalized, stifled, endangered, or rendered extinct for failure to find funding."

The coalition also dismissed Verizon's claim that the rules violate its First Amendment rights, arguing that the rules actually facilitate free speech.

They argued that as an Internet provider, Verizon only transmits the speech of others and is not expressing any message of its own.

"The First Amendment is not the Open Internet Rules’ victim; it is their beneficiary," the companies wrote.

Consumer advocacy group Public Knowledge joined the companies in filing the brief.

Also on Thursday, the Center for Democracy and Technology, legal scholars, venture capitalists, former FCC Chairman Reed Hundt and former FCC Commissioner Michael Copps also filed briefs defending the rules.

The D.C. Court of Appeals, which is hearing Verizon's challenge, already ruled against the FCC when it tried to enforce the principle of net neutrality against Comcast in 2010. That setback led the FCC to enact its current regulations later that year.
http://thehill.com/blogs/hillicon-va...rules-in-court





Spike in Government Surveillance of Google
BBC

Governments around the world made nearly 21,000 requests for access to Google data in the first six months of this year, according to the search engine.

Its Transparency Report indicates government surveillance of online lives is rising sharply.

The US government made the most demands, asking for details 7,969 times in the first six months of 2012.

Turkey topped the list for requests to remove content.

Government 'bellwether'

Google, in common with other technology and communication companies, regularly receives requests from government agencies and courts around the world to have access to content.

It has been publishing its Transparency Report twice a year since 2009 and has seen a steady rise in government demands for data. In its first report in 2009, it received 12,539 requests. The latest figure stands at 20,939.

"This is the sixth time we've released this data, and one trend has become clear: government surveillance is on the rise," Google said in a blog post.

The report acts as a bellwether for government behaviour around the world, a Google spokeswoman told the BBC.

"It reflects laws on the ground. For example in Turkey there are specific laws about defaming public figures whereas in Germany we get requests to remove neo-Nazi content," she said.

"And in Brazil we get a lot of requests to remove content during elections because there is a law banning parodies of candidates.

"We hope that the report will shed light on how governments interact with online services and how laws are reflected in online behaviour," she added.

The US has consistently topped the charts for data requests. France, Germany, Italy, Spain and the UK are also in the top 10.

In France and Germany it complied with fewer than half of all requests. In the UK it complied with 64% of requests and 90% of requests from the US.

Removing content

Google said the top three reasons cited by government for content removal were defamation, privacy and security.

Worldwide authorities made 1,789 requests for Google to remove content, up from 1,048 requests for the last six months of 2011.

In the period from January to June, Turkey made 501 requests for content removal.

These included 148 requests related to Mustafa Kemal Ataturk - the first president of Turkey, the current government, national identity and values.

Others included claims of pornography, hate speech and copyright.

Google has its own criteria for whether it will remove content - the request must be specific, relate to a specific web address and have come from a relevant authority.

In one example from the UK, Google received a request from police to remove 14 search results that linked to sites allegedly criticising the police and claiming individuals were involved in obscuring crimes. It did not remove the content.
http://www.bbc.co.uk/news/technology-20319505





Windows 8 Sales Well Below Projections, Plenty of Blame to Go Around

Uncertainty could turn Windows 8 into the next Vista
Paul Thurrott

Sales of Windows 8 PCs are well below Microsoft’s internal projections and have been described inside the company as disappointing. But here’s the catch: The software giant blames the slow start on lackluster PC maker designs and availability, further justifying its new Surface strategy. But Windows 8’s market acceptance can be blamed on many factors.

One of my most trusted sources at Microsoft confirmed Windows 8’s weak start this week. And with all of the drama surrounding Windows 8 and the recent, unexpected departure of Windows chief Steven Sinofsky, rumors are sure to swirl. But looked at logically, some trends emerge.

Microsoft blames the PC makers. My source cited to me the PC makers’ “inability to deliver,” a damning indictment that I think nicely explains why the firm felt it needed to start making its own PC and device hardware. In a related conversation with Microsoft the week after BUILD, I floated the notion that the company’s retail store expansion could one day lead to it becoming the number one in-store experience for PC makers’ wares, a not-so-subtle change in their relationships. This idea had clearly been considered as a possible future, leading me to believe that Microsoft has indeed soured on its traditional partner relationships and is looking to shake things up.

Lingering questions about Sinofsky. While Steven Sinofsky was removed from Microsoft because of his divisiveness and his ostracizing of far too many valuable executives and employees, many will continue to wonder if some failing in Windows 8 (and Windows RT) is what in fact led to his ouster. The timing on his departure couldn’t be worse, and while the promotion of his closest lieutenant, Julie Larson-Green, was clearly designed to promote the notion of orderly transition, the fact that she wasn’t made president of the Windows division hints at more changes to come. One of Microsoft’s many problems under the Sinofsky regime was that it wasn’t at all transparent: Its current lack of transparency about the succession plan for Windows is just as problematic because it makes those outside the company distrust anything they say. This lack of trust will cause consumers to look elsewhere.

It’s the economy, stupid. Microsoft launched Windows 8 at a time of great economic uncertainty and midstream in business deployment of the product’s predecessor, Windows 7. It doesn’t take a tech analyst expert to know that businesses are simply not going to deploy Windows 8 in great numbers. And while that’s obvious, it also means that only consumer acceptance of Windows 8 can possible help this release match the success of its predecessors. But consumers have plenty of choice these days, and many are quite comfortable stretching out the next PC purchase and using a companion device, like an iPad or other tablet. The problem is, they may discover that’s all the computer they need and simply opt out of Windows going forward.

Confusing range of device types. Faced with a reimagined, touch-focused Windows that is more at home on mobile devices than traditional PCs, and responding to increasingly hysterical pleas from Microsoft to innovate more, PC makers attempted to do in hardware what Microsoft did in Windows 8’s software: Create hybrid devices that could serve all needs. Unfortunately, the result is a mess of different hybrid designs, rather than a concerted, industry-wide effort to consolidate around a few basic designs. The result is obvious: Confusion, both on the PC maker side—where different companies are pushing a variety of different design types—and with consumers, who simply don’t know which, if any, device types to make. I love Lenovo, but consider this one PC maker’s designs: The firm is selling traditional laptops and Ultrabooks, touch-based laptops and Ultrabooks, “multimode” convertible laptop/tablets (the Yoga line), a traditional convertible Ultrabook (ThinkPad Twist), slate-type tablets (ThinkPad Tablet 2), slate-type tablets with keyboard docks (IdeaPad Lynx), and then a related but separate line of Android tablets. And that’s just the portable computers.

Windows 8. It’s a floor wax. No, it’s a dessert topping. Microsoft’s new whatever-the-F-it-is operating system is a confusing, Frankenstein’s monster mix of old and new that hides a great desktop upgrade under a crazy Metro front-end. It’s touch-first, as Microsoft says, but really it’s touch whether you want it or not (or have it or not), and the firm’s inability to give its own customers the choice to pick which UI they want is what really makes Windows 8 confounding to users. I actually like Windows 8 quite a bit and can’t imagine switching back. But I do understand the complaints of customers who aren’t getting what they wanted or asked for.

Windows RT. Imagine Apple announcing a major new version of iOS and then releasing a new tablet that runs Mac OS X instead of that new iOS version. Doesn’t make a lick of sense, does it? Well, that’s what Microsoft did: On the day that Microsoft launched Windows 8, it also launched Surface … running Windows RT. And while Windows RT is obvious a version of Windows 8, it’s a largely incompatible version of Windows 8, and one that runs in the resource constrained ARM environment. That means no existing desktop software will run on these devices, not to mention lots of hardware. Confusing? You bet. And I actually get this stuff. What’s a typical consumer to think?

Surface. And speaking of Surface, it bears repeating that Microsoft is now competing directly with its partners. But even educated consumers are confused by this entry. Those that do understand they should skip Windows RT now have to wait until January to see what a Surface Pro is like. And that means ... you guessed it … they’re simply going to wait. How could Microsoft launch Windows 8 and not launch Surface Pro? It makes no sense at all.

Intel. If you’ve decided to skip Windows RT—which I think is wise, for now—you now face a strange choice on the Intel side. You can go with traditional “Ivy Bridge” type systems, providing the familiar performance and compatibility you’ve come to expect from PCs. Or you can go with new Atom “Clover Trail” systems, which can and do resemble Windows RT devices in ways both good—they’re thin, light, and get great battery life—and bad—they’re also resource constrained, with 2 GB of RAM and tiny storage allotments. This further muddies the water for consumers, triggering yet another “wait” reaction.

The net effect of all this stuff, I think, contributes to a wait-and-see approach with Windows 8. And that is exactly the opposite of what Microsoft and even the broader industry should want at this time. In this way, the Windows 8 launch is much like that of Vista, where a nagging (and in that case, tech blogger-led) cabal of disappointed voices dominated the discussion at launch and torpedoed the product before it had a chance. Windows 8 is no Vista, in many ways. Until it is.

All of this was avoidable.
http://winsupersite.com/windows-8/wi...lame-go-around





Text Messaging Declines in U.S. for First Time, Report Says
Brian X. Chen

In countries around the world, text-message traffic has been shrinking because Internet-powered alternatives are becoming so widely used. American carriers have fought off the decline — until now.

For the first time, the American wireless market saw a decline in the total number of messages sent by each customer each month, according to a report published Monday by Chetan Sharma, an independent mobile analyst who is a consultant for wireless carriers. In the third quarter of this year, cellphone owners sent an average of 678 texts a month, down from 696 texts a month in the previous quarter.

Though that’s a small dip, the change is noteworthy because for several years, text messaging had been steadily growing in the United States. Mr. Sharma said it was too early to tell whether the decline here would continue, but he noted that Internet-based messaging services, like Facebook messaging and Apple’s iMessage, had been chomping away at SMS usage. He said the decline would become more pronounced as more people buy smartphones. A bit more than 50 percent of cellphone owners here have smartphones.

The downward trend in text messaging is also evident among American businesses who offer cellphones to their employees. Tero Kuittinen, vice president of Alekstra, a company that helps people manage cellphone costs, said that employees at 10 of its corporate clients were sending 5 to 10 percent fewer text messages than a year ago.

Nonetheless, the seemingly imminent decline of text messaging, which is highly lucrative for carriers, doesn’t mean they need to lose much sleep. Big carriers like AT&T and Verizon Wireless are still posting healthy profits, largely because of revenue from mobile data plans, the fees people pay to use the Internet over their networks. Among the top three carriers, mobile data accounts for about 45 percent of the average amount of money made from each customer, Mr. Sharma said.
http://bits.blogs.nytimes.com/2012/1...united-states/





Disruptions: Casting a Ballot by Smartphone
Nick Bilton

Last Tuesday, millions of Americans stood in long lines to cast their votes. While they waited, sometimes for several hours, many used their smartphones to pass the time.

Some read articles about the election. Others updated their Twitter or Instagram feeds with pictures of the lines at the polls. And some took care of more private tasks, like sharing health information with their doctors, reading and editing confidential work documents, or paying bills and transferring money using banking applications.

Once in the voting booth, they slipped their phones into their pockets and purses and, in many cases, picked up a pen and a piece of paper to cast their ballot.

So at a time when we can see video shot by a robot on Mars, when there are cars that can drive themselves, and when we can deposit checks on our smartphones without going to a bank, why do most people still have to go to a polling place to vote?

That’s because, security experts say, letting people vote through their phones or computers could have disastrous consequences.

“I think it’s a terrible idea,” said Barbara Simons, a former I.B.M. researcher and co-author of the book “Broken Ballots: Will Your Vote Count?”

Ms. Simons then ran through a list of calamitous events that could occur if we voted by Internet. Viruses could be used to take over voters’ phones; rogue countries like Iran could commandeer computers and change results without our knowledge; government insiders could write software that decides who wins; denial-of-service attacks could take down the Internet on Election Day.

“It’s a national security issue,” Ms. Simons said. “We really don’t want our enemies to be able to determine our government for us — or even our friends for that matter.”

Of course, many of those concerns make sense. None of us want some evil autocrat picking the next president.

But other countries allow citizens to vote via the Internet, or are experimenting with the idea. In 2005, Estonia started testing an online voting system and has since registered more than a million voters who now cast their ballots online. Italy plans to test an online voting system this year.

Not the United States, the land of the free and the home of the smartphone.

Ronald L. Rivest, a computer scientist at the Massachusetts Institute of Technology, said that for now, the best technology out there is the one we’ve been using.

“Winston Churchill had a famous saying that democracy is the worst form of government, except for all those other forms that have been tried before,” Mr. Rivest said. “You can apply the same statement to paper ballots, which are the worst form of voting, but better than all the others that have been tried before.”

Mr. Rivest, who is the R in the name of the RSA encryption system, which is used by government institutions and banks, said that if things went wrong on Election Day, chaos could ensue, because doubts about the results would rattle the foundations of our democracy.

“One of the main goals of the election is to produce credible evidence to the loser that he’s really lost,” he said. “When you have complicated technology, you really do have to worry about election fraud.”

So what’s the solution? Ms. Simons and Mr. Rivest both seemed certain that the best alternative was to stick with a technology that’s a couple of thousand years old. “Paper,” they both said, as if reading from the same script. “Paper ballots.”

Voting by mail, which some cite as an option, lets people avoid the lines, but it is not so easy on the vote counters. In states where this is allowed, envelopes have to be opened and ballots sorted into precincts. Then the signature needs to be matched with that on the voter registration card. None of this is terribly efficient.

So in 10, 20 or 100 years, when our cars have been replaced with self-flying spaceships, robots take our children to school, and our smartphones are chips in our heads, will we still be using a pen and paper to choose our president? I sure hope not.

After Hurricane Sandy disabled power and transportation for many in New Jersey, the state announced that some people would be allowed to vote by e-mail. The entire operation was pulled together in three days. Although there were problems, the system worked for most.

Digital voting could drive more Americans to the polls. According to a report released by the Census Bureau this year, nearly 50 million Americans didn’t vote in the 2008 election. Millions of people said this was because they were out of town, had transportation problems or were too busy to get to the polls. Internet voting could let millions more people take part.

There are, as the security experts point out, a litany of issues to confront before this happens, but it’s not impossible.

Alexander Keyssar, a professor of history and social policy at Harvard and author of the book “The Right to Vote,” added one more issue to the list: voter coercion, in which your boss or someone else bullies you into picking a candidate, perhaps right in front of them. But Mr. Keyssar said people might eventually have the option to vote via the Web.

“I think it’s something that the government should be looking to develop as a down-the-road option,” he said, adding that in Brazil, one branch of a government group called the Federal Election Tribunal has the task of exploring digital voting technologies. “We could have a similar tribunal here,” he said.

In his acceptance speech, President Obama acknowledged the problems of those who had to wait in long lines to vote, saying, “By the way, we have to fix that.”

There are more than twice as many mobile phones in the United States as there are people who voted during this last election. As one option to “fix that,” I’d vote for an app that allows me to cast my ballot from the privacy of my own home, rather than waiting in line to mark a piece of paper with a pen.
http://bits.blogs.nytimes.com/2012/1...by-smartphone/





The Globalization Of Cyberespionage

Newly revealed cyberspying campaign against Israeli and Palestinian targets demonstrates how the threat is no longer mostly a China thing
Kelly Jackson Higgins

A recently discovered targeted cyberespionage campaign targeting Israeli and Palestinian organizations in operation for more than a year serves as chilling evidence that cyberspying is a global phenomenon and no longer mostly the domain of massive nation-states like China.

While much of the attention has been trained on China as the source of cyberespionage, the discovery of this latest operation highlights just how popular and easy it has become to execute cyberspying. Thanks to ease of access and use of remote access Trojan (RAT) tools and reliability of social engineering, you don't need nation-state backing to conduct these types of targeted attacks. RATs traditionally had been associated with Chinese-based attackers, but that conventional wisdom is shifting as other nations and politically motivated attackers move to cyberspying via these tools to more efficiently gather intelligence on their marks.

Researchers at Norman Security today revealed that they recently analyzed malware used in phishing emails targeting Israeli and Palestinian targets and found that attackers used malware based on the widely available Xtreme RAT crimeware kit. The attacks, which first hit Palestinian targets, this year began going after Israeli targets, including Israeli law enforcement agencies and embassies around the world. Norman says the same attacker is behind the attacks because the attacks use the same command-and-control (C&C) infrastructure, as well as the same phony digital certificates.

This attack campaign just scratches the surface of the breadth and spread of these types of attacks around the world as more players have been turning to cyberspying. "We're just seeing the tip of the iceberg," says Einar Oftedal, deputy CTO at Norman.

Oftedal says he has seen XTreme RAT used in all types of attacks. What was most striking about this campaign is that the same attacker used it to go after both Israelis and Palestinian interests. With only the malware and email samples to study, however, he says, Norman can't draw any conclusions on who is behind the attacks.

Aviv Raff, CTO of Seculert, which also has been studying the attacks, says there appears to be a political motive for the attacks, and that the perpetrators could be Hamas hacktivists or someone from their own cyberarmy, he says.

Cyberespionage attacks from various players will increase in the coming year, he says. "I believe that next year we'll see more actors from different nations" conducting cyberespionage, Raff says. "I think such efforts are already in place, and [we] saw that with last year's attacks. The way I see this is that next year, more of such attacks will be discovered -- meaning they are taking place as we speak but go under the radar."

Israeli police last month pulled all of their computers off the Internet after discovering a rogue file spreading around their systems. Seculert studied the attack and concluded that the attacks were based on the Xtreme RAT, a not-so advanced but highly persistent attack tool.

That assessment was confirmed by Norman's research today. "This was not too advanced," Norman's Oftedal says. "They were using off-the-shelf Trojans. The only advanced piece is the digital certificates," which were created to appear as Microsoft-signed, he says.

The attackers initially used C&C servers located in the Gaza Strip region, and later moved them to hosting firms in the U.S. and U.K., according to Norman's findings.

Other researchers, including Dell SecureWorks, have spotted related Xtreme RAT activity against Palestinian and Israeli targets. Joe Stewart, director of malware research at Dell SecureWorks, says he has also seen Chinese hackers using XTreme RAT for cyberespionage, too.

But the similarities between nation-state Chinese attackers and these Middle Eastern political attacks end there. "A lot of targeting that's going on lately are kind of ad-hoc programs being spun up in response to Arab Spring ... and throwing up commodity [Trojans]," Stewart says. "There's no time to spin up the next Flame.

They use what's out there and available."

And researchers and victim organizations are also getting more experienced at spotting possible targeted attacks, which is adding to the snowball effect of new cyberespionage players and victims.

"Now that people realize espionage is the focus in a lot of cases, they are not so quick to dismiss malware samples that come in that are new and not usual," Stewart says. "A few years ago, you'd think 'that was just a random hacker and I'll concentrate on Storm' or whatever threat was big at the time. Now you see samples that are not like any other samples ... and stand on their own because they are such low volume, and you realize this could be the next big story, a Stuxnet you got your hands on there that's worth delving into more."

The full report from Norman is available here.
http://www.darkreading.com/advanced-...espionage.html





Cybersecurity Bill Killed, Paving Way for Executive Order
Eric Engleman

U.S. Senate Republicans yesterday killed cybersecurity legislation backed by President Barack Obama, increasing prospects the White House will implement some of the bill’s provisions through an executive order.

Supporters failed 51-47 to get the 60 votes needed under Senate rules to bring the bill up for passage. Republicans blocked the same measure in August, saying it would lead to more government regulation of business.

“It to some degree hardens the lines of division, which makes it more likely we’ll see an executive order rather than an attempt to revive the legislation in the near term,” Stewart Baker, a former assistant secretary for policy at the Department of Homeland Security, said in an interview.

“The only other thing that can produce legislation is a major cybersecurity meltdown,” said Baker, a partner at the Steptoe & Johnson law firm in Washington.

Administration officials have continued to warn about cyber threats capable of widespread damage. Defense Secretary Leon Panetta in a speech in New York last month said computer assaults by other countries or extremist groups could be as destructive as the Sept. 11 attacks.

White House officials have said Obama was considering an order creating a program to protect vital computer networks from cyber attacks if Congress failed to pass an acceptable law.

Majority Leader Harry Reid, a Nevada Democrat, said the Senate vote killed any chance for congressional action this year.

“Cybersecurity is dead for this Congress,” Reid said after the vote.

Four Republican senators broke ranks with their party to vote in favor of advancing the Senate bill, and five Democrats joined Republicans in opposition.
Infrastructure Threats

The legislation, introduced in February by Senators Joe Lieberman, a Connecticut independent, and Susan Collins, a Maine Republican, would have created voluntary cybersecurity standards for companies that operate infrastructure such as power grids and chemical plants considered essential to U.S. national security. The bill also would have encouraged companies and the government to share information on cyber threats.

Republicans and the U.S. Chamber of Commerce, the nation’s largest business lobby, opposed the voluntary standards, saying they would be a back door to government regulation and fail to keep pace with evolving threats in cyberspace. The chamber released a letter yesterday reiterating its opposition.

“Whatever we do on this bill, it’s not enough for the Chamber of Commerce,” Reid said.
Pentagon Role

Obama has signed a separate directive setting policy for how the government handles threats in cyberspace, according to three current and former administration officials. The directive opens the door to a bigger role for the Defense Department, directing it to provide civilian agencies with technical help on cybersecurity, according to a former senior intelligence official familiar with the document.

The debate over cybersecurity legislation has turned from substantive analysis to a “political blame game” about who can best protect the nation, Senator Charles Grassley, an Iowa Republican, said on the floor before yesterday’s vote.

“Rushing something through that will impact the country in such a massive way is not a way we should do business,” Grassley said.
Information Sharing

Senate Republicans, including Grassley, John McCain of Arizona and Kay Bailey Hutchison of Texas, had urged more limited legislation to encourage government and companies to share information about cyber threats, along the lines of a bill they introduced in March.

The Republican-controlled House of Representatives in April passed a similar information-sharing measure, sponsored by Mike Rogers, a Michigan Republican who leads the House Intelligence Committee, and the panel’s top Democrat, C.A. “Dutch” Ruppersberger of Maryland.

The Obama administration said it would veto the House measure because it doesn’t safeguard the privacy of consumer data that may be shared or protect the nation’s infrastructure from cyber attacks.

The Lieberman bill is S. 3414. The McCain bill is S. 3342. The Rogers bill is H.R. 3523.
http://www.bloomberg.com/news/2012-1...ive-order.html





Obama Signs Secret Directive to Help Thwart Cyberattacks
Ellen Nakashima,

President Obama has signed a secret directive that effectively enables the military to act more aggressively to thwart cyber#attacks on the nation’s web of government and private computer networks.

Presidential Policy Directive 20 establishes a broad and strict set of standards to guide the operations of federal agencies in confronting threats in cyberspace, according to several U.S. officials who have seen the classified document and are not authorized to speak on the record. The president signed it in mid-October.

The new directive is the most extensive White House effort to date to wrestle with what constitutes an “offensive” and a “defensive” action in the rapidly evolving world of cyberwar and cyberterrorism, where an attack can be launched in milliseconds by unknown assailants utilizing a circuitous route. For the first time, the directive explicitly makes a distinction between network defense and cyber-operations to guide officials charged with making often-rapid decisions when confronted with threats.

The policy also lays out a process to vet any operations outside government and defense networks and ensure that U.S. citizens’ and foreign allies’ data and privacy are protected and international laws of war are followed.

“What it does, really for the first time, is it explicitly talks about how we will use cyber-
operations,” a senior administration official said. “Network defense is what you’re doing inside your own networks. . . . Cyber-operations is stuff outside that space, and recognizing that you could be doing that for what might be called defensive purposes.”

The policy, which updates a 2004 presidential directive, is part of a wider push by the Obama administration to confront the growing cyberthreat, which officials warn may overtake terrorism as the most significant danger to the country.

“It should enable people to arrive at more effective decisions,” said a second senior administration official. “In that sense, it’s an enormous step forward.”

Legislation to protect private networks from attack by setting security standards and promoting voluntary information sharing is pending on the Hill, and the White House is also is drafting an executive order along those lines.

James A. Lewis, a cybersecurity expert at the Center for Strategic and International Studies, welcomed the new directive as bolstering the government’s capability to defend against “destructive scenarios,” such as those that Defense Secretary Leon E. Panetta recently outlined in a speech on cybersecurity.

“It’s clear we’re not going to be a bystander anymore to cyberattacks,” Lewis said.

The Pentagon is expected to finalize new rules of engagement that would guide commanders on when and how the military can go outside government networks to prevent a cyberattack that could cause significant destruction or casualties.

The presidential directive attempts to settle years of debate among government agencies about who is authorized to take what sorts of actions in cyberspace and with what level of permission.
http://www.washingtonpost.com/world/...9c3_story.html





Anonymous Takes Down Over 650 Israeli Sites, Wipes Databases, Leaks Email Addresses and Passwords
Emil Protalinski

When the Israel Defense Forces (IDF) this week began taking military action in the Gaza strip against Hamas (as the IDF announced on Twitter), Anonymous declared its own war as part of #OpIsrael. Among the casualties are thousands of email addresses and passwords, hundreds of Israeli Web sites, government-owned as well as privately owned pages, as well as databases belonging to Bank Jerusalem and the Ministry of Foreign Affairs.

Israel Ministry of Foreign Affairs database has been deleted | mashav.mfa.gov.il | #OpIsrael

— Anonymous (@YourAnonNews) November 16, 2012

Bank of Jerusalem database has been deleted | bankjerusalem.co.il| #OpIsrael #Anonymous

— Anonymous (@YourAnonNews) November 16, 2012

While the hacktivist group doesn’t appear to be anywhere near satisfied yet, the YourAnonNews account, which has over 686,000 followers, did just send out this message:

Israel, all your base are belong to us.

— Anonymous (@YourAnonNews) November 16, 2012

If that’s not a declaration of success, I don’t know what is. There have so far been hundreds of takedowns of sites by Distributed Denial of Service (DDoS) attacks; one Pastebin trying to list them all includes 659 Web sites. Not all of them are still down, but some are, and others are still defaced.

Another AnonPaste includes 2,004 email addresses, the majority of which appear to have corresponding passwords, allegedly stolen from an MySQL database belonging to dirotmodiin.co.il, a site for finding real estate in Israel. Many of them are hosted on Israeli domains, but there are also the usual Gmail, Hotmail, and Yahoo accounts.

Yet as already mentioned, we’re talking about more than just DDoS attacks that are overloading Web sites, such as tel-aviv.gov.il, the municipal site for the second most populous city in Israel (after Jerusalem). There are also plenty of defacements, and, as of a few minutes ago, databases have also been wiped.

While the Israeli government almost certainly has backups of the aformentioned databases, these attacks as well as the defacements show Anonymous isn’t just doing its usual spree of overloading target sites. OpIsrael appears to have gotten multiple hackers involved who are interested in doing actual damage, or at least something that is slightly more permanent than just a 404.

Update at 8:20PM EST: The Twitter account is now claiming that over 9,000 sites have been taken down or defaced, but don’t be fooled: this is a meme reference.

Yes, over 9,000 websites are down or defaced right now for #OpIsrael. RT @shaved_llama: @youranonnews ITS OVER 9000!

— Anonymous (@YourAnonNews) November 17, 2012[/i]

A press release attempts to explain Anonymous’ motives behind the attacks:

Greetings World

For far too long, Anonymous has stood by with the rest of the world and watched in despair the barbaric, brutal and despicable treatment of the Palestinian people in the so called “Occupied Territories” by the Israel Defense Force. Like so many around the globe, we have felt helpless in the face of such implacable evil. And today’s insane attack and threatened invasion of Gaza was more of the same.

But when the government of Israel publicly threatened to sever all Internet and other telecommunications into and out of Gaza they crossed a line in the sand. As the former dictator of Egypt Mubarack learned the hard way – we are ANONYMOUS and NO ONE shuts down the Internet on our watch. To the IDF and government of Israel we issue you this warning only once. Do NOT shut down the Internet into the “Occupied Territories”, and cease and desist from your terror upon the innocent people of Palestine or you will know the full and unbridled wrath of Anonymous. And like all the other evil governments that have faced our rage, you will NOT survive it unscathed.

To the people of Gaza and the “Occupied Territories”, know that Anonymous stands with you in this fight. We will do everything in our power to hinder the evil forces of the IDF arrayed against you. We will use all our resources to make certain you stay connected to the Internet and remain able to transmit your experiences to the world. As a start, we have put together the Anonymous Gaza Care Package – http://bit.ly/XH87C5 – which contains instructions in Arabic and English that can aid you in the event the Israel government makes good on it’s threat to attempt to sever your Internet connection. It also contains useful information on evading IDF surveillance, and some basic first aid and other useful information. We will continue to expand and improve this document in the coming days, and we will transmit it to you by every means at our disposal. We encourage you to download this package, and to share it with your fellow Palestinians to the best of your ability.

We will be with you. No matter how dark it may seem, no matter how alone and abandoned you may feel – know that tens of thousands of us in Anonymous are with you and working tirelessly around the clock to bring you every aid and assistance that we can.

We Are Anonymous
We Are Everywhere
We Are Legion
We Do Not Forgive
We Do Not Forget

To the oppressors of the innocent Palestinian people, it is too late to EXPECT US

A second press release has even more to add.

http://thenextweb.com/insider/2012/1...and-passwords/





The New Face of Energy Insecurity
Blake Clayton

The future of energy insecurity has arrived. In August, a devastating cyber attack rocked one of the world’s most powerful oil companies, Saudi Aramco, Riyadh’s state-owned giant, rendering thirty thousand of its computers useless. This was no garden-variety breach. In the eyes of U.S. defense secretary Leon Panetta, it was “probably the most destructive attack that the private sector has seen to date.”

What makes this kind of attack so worrying is the risk it poses to energy prices and hence the U.S. economy. Stopping oil production in Saudi Arabia could turn into a catastrophic loss of oil supplies. Even a short outage could cause prices to fly off the handle, setting off a scramble as market participants rushed to buy oil in case the shortage dragged on. Because the oil market is global in nature, a production outage anywhere can cause oil prices the world over to soar. U.S. officials should take note: A cyber threat to a company so central to the world energy market as Saudi Aramco poses a significant risk to the economic well-being of the United States.

The August attack on Saudi Aramco was only the most recent volley in what Washington has described as “low-grade cyberwar” in the Middle East, in this case likely involving Iran. The Shamoon virus the hackers deployed, judging by its sophistication and signature, was the handiwork of a state-supported effort, according to Secretary Panetta, though some U.S. investigators have disputed that assessment. Security experts surmise that the attack may have involved someone with privileged access to the company’s computer network.

Saudi Aramco was not the only casualty. RasGas, a Qatari natural gas company and the second-biggest producer of liquefied natural gas in the world, fell victim to an identical virus a short time after the Saudis. Like Aramco, RasGas announced that despite the attack, which left some of its computers “completely dead,” its energy production was not affected. Experts surmise that the Iranian attacks were likely payback for the apparently Western-backed Stuxnet virus, which struck the country’s Natanz nuclear plant.

Oil, gas and petrochemical companies are popular targets for hackers, who have ramped up their assault on these firms over the last two years. McAfee, an Internet-security firm, described in a recent study a barrage of “coordinated covert and targeted cyberattacks,” coming mostly from China, targeting energy companies around the world. The aim of these operations was to get ahold of proprietary data such as oil reserves, bidding strategies and critical infrastructure. The trade secrets that this string of attacks, dubbed Night Dragon by McAfee, sought to capture are big business. Stewart Baker, a former assistant secretary of homeland security, called information about “what oil exploration companies have found and not found” the “most valuable intelligence in the commercial world.”

But this summer’s attack on Saudi Aramco differs from these more traditional cyber espionage cases in a critical way: It wasn’t about the data. It was about disabling the company’s operations. Both are serious, but the former poses a systemic risk that, if successful, could make waves far beyond the health (or even survival) of a single company. American consumers could suffer because of an incident involving an oil company that they know little about and is located thousands of miles away.

The United States may have narrowly averted a disaster when Aramco was hit. The global oil market responds to any news about Saudi Arabia’s oil production practically instantaneously. Word from Riyadh about a future production increase or preferred trading range for crude oil can cause markets to swoon. Little surprise, considering that the company accounts for around 12 percent of global oil supply. Fortunately, Saudi oil operations were unaffected by the computer outage, at least as far as is known. Had the Shamoon virus prevented the flow of oil to market somewhere along the supply chain, though, the effect on prices would have been much less benign.

Virtual warfare against energy companies will not end anytime soon. Hackers are well aware that crippling oil operations offers significant leverage, strategically speaking, as acts of terror: a single successful act has the potential to hurt oil-consuming nations far beyond the Middle East. Small wonder that oil-industry assets around the world—oilfields, loading platforms, pump stations and so on—were long ago identified by Osama bin Laden as targets. Saudi Aramco’s CEO, Khalid al-Falih, reiterated after the August 15 attack that “this was not the first time nor will it be the last illegal attempt to intrude into our systems.” It is conceivable that a future one, if successful, could amount to the “cyber-Pearl Harbor” of which Secretary Panetta has long warned U.S. policy makers.

Defending the world’s major energy suppliers against debilitating cyber threats will not be easy, but it is essential. The risk cannot be eliminated; Washington’s ability to protect the corporate infrastructure of a foreign organization like Saudi Aramco is inherently imperfect. But if the United States is serious about its own economic security, this is one battle it cannot afford to sit out.
http://nationalinterest.org/commenta...Nja3-c.twitter





Hardcoded Passwords Leave Telstra Routers Wide Open
Darren Pauli

Hardcoded usernames and passwords have been discovered in a recent line of Telstra broadband routers that could allow attackers access to customer networks.

SC was tipped off to the public disclosure of the flaws on 16 October, 2012, and given the threat posed to Telstra customers, had warned Telstra and delayed publication until the telco and vendor Netcomm had developed and fully tested a firmware fix.

The flaws meant attackers could bypass any unique passwords and access the device administrative console and customer's local network.
Bigpond Elite Network Gateway

Telstra has today issued a patch to fix the flaws and was contacting affected customers by phone and email to urge them to apply the fix.

The firmware upgrade was the only means of removing the unchangeable default logins introduced by Netcomm into the BigPond Elite Wireless BroadBand Network Gateway line.

"We’ve now published a firmware update and are contacting all customers with this type of modem to ensure they install the patch," Telstra told SC in a statement.

"...we’ve worked as quickly as possible with our vendor to design, create, test and deploy a software update for our customers."

Milan-based security researcher and consultant Roberto Paleari discovered the flaws and publicly disclosed them on 12 October after he told SC he reported it to a Telstra Bigpond technical support line.

Paleari later worked with Telstra and Netcomm to detail the vulnerabilities, which also included a command-injection flaw due to the server-side script failing to properly validate user-supplied input.

The researcher publicly disclosed the holes after he said Telstra's technical support department requested he detail the bug over phone and would not communicate via email, his preferred method for record-keeping.

“I can only say I am really sorry I finally had to disclose the vulnerabilities without waiting for a fix from the device manufacturer,” Paleari told SC, adding that he believed in responsible disclosure.

“Router security should be taken more seriously.”

SC urges all affected users to apply the patch immediately.

The patch also introduced a feature allowing manual selection between internal and external antennas from the modem interface.
http://www.scmagazine.com.au/News/32...wide-open.aspx





Security Hole Allows Anyone to Hijack Your Skype Account Using Only Your Email Address
Emil Protalinski

A new security hole has been discovered in Microsoft’s Skype that allows anyone to change your password and thus take over your account. The issue was first posted on a Russian forum two months ago and has been confirmed by The Next Web (we have not linked to any of the blogs or posts detailing the exploit because it is very easy to reproduce).

We’ve been in touch with Skype over the past few hours to give them a chance to address this vulnerability. The company has informed us it is currently conducting an internal investigation.

To exploit this flaw, all you need to know is your victim’s email address tied to their Skype account. To protect yourself, you would have to change your email address to one that nobody knows or could easily guess, but most likely Microsoft will get around to fixing the problem before that becomes necessary.

We reproduced the attack, step-by-step, and managed to access the Skype accounts of TNW writer (with permission) Josh Ong (as well as editor Matt Brian to verify again) with only their email addresses. Essentially, that email address is used to create a new account with your own email address tied to it. Then, minus a couple of key steps, you can use a password reset token to gain access to your target’s account.

Having done all that, I could see my username for Josh’s account, and Josh’s username (for the first time – note, I had no idea what it was until this point) for his account, as well as change the password for whichever I pleased. I changed Josh’s, locking him out of the account and letting me in. Since I did this before Josh could, and he would have to be watching his email account “like a hawk” (his words, not mine) to beat me, I essentially gained exclusive access to his account. He couldn’t log back in until I gave him the new password.

The reason this works is simple, but it’s still worrying. When you use an existing email address to sign up with Skype again, the service emails you a reminder of your username, which is okay, since no one else should have access to your email. Unfortunately, because this method enables you to get a password reset token sent to the Skype app itself, this allows a third party to redeem it and claim ownership of your original username and thus account.

This should not be allowed, as it lets anyone create another username for your Skype account by just knowing your email address. The exposer of the vulnerability says that it has been reported but the hole is clearly still open.

In the meantime, the best way to avoid being targeted by this is to use a different email address for your Skype account: change it over on Skype.com now to one only you know about. To do this, click on the “Sign In” in the top-right corner, click on the “Profile” link in the middle of the page under “Account Details,” and scroll down to “Contact details.” From there, click on “Add email address,” add one, scroll to the bottom, and hit “Save.” One last time, scroll to the bottom again, click on “Edit,” then finally scroll up and choose “Set as primary email” beside your covert email address.

We have contacted both Skype and Microsoft about this issue in the hopes that it can be corrected sooner rather than later. We will update you when we learn more.

Update: Skype shared the following statement with The Next Web:

“We have had reports of a new security vulnerability issue. As a precautionary step we have temporarily disabled password reset as we continue to investigate the issue further. We apologize for the inconvenience but user experience and safety is our first priority”
http://thenextweb.com/microsoft/2012...email-address/





Skype Plugs Security Hole Letting Anyone Hijack Accounts, Says ‘Small Number’ of Users Affected
Emil Protalinski

A number of hours after The Next Web revealed a flaw in the way Skype handled password resets, allowing third-parties to hijack accounts using just an email address, Skype has said that it has now fixed the issue. The company has confirmed it first mitigated the issue, but has now updated its password reset process so that it doesn’t send tokens to the client. We have confirmed ourselves that this flaw has been fixed.

In its statement to TNW, Skype explains:

Early this morning we were notified of user concerns surrounding the security of the password reset feature on our website. This issue affected some users where multiple Skype accounts were registered to the same email address. We suspended the password reset feature temporarily this morning as a precaution and have made updates to the password reset process today so that it is now working properly.

We are reaching out to a small number of users who may have been impacted to assist as necessary. Skype is committed to providing a safe and secure communications experience to our users and we apologize for the inconvenience.

What Skype is essentially saying here is that while this flaw was indeed available for a while (we first spotted the issue on a Russian forum dating two months back), the company was able to fix it quickly enough before the exploit could be used against a large number of accounts. The statement could be read as if the issue only affected certain Skype accounts, which is false: the flaw affected all accounts.

Here at TNW, we managed to use the security hole to hijack multiple Skype logins belonging to staff members (with their permission, of course). Skype says it will be getting in touch with those it detected as being affected to make sure they are aware their accounts were hijacked.

The whole process took roughly two minutes, and it could be automated in a way to hijack multiple accounts in quick succession. The fact that Skype worked quickly to fix this flaw is important: the company now only has to worry about contacting those affected in the last little while, from two months ago when this was first discovered, to the hours last night where the world took notice and many tried to replicate the issue.
http://thenextweb.com/microsoft/2012...sers-affected/





Kill the Password: Why a String of Characters Can’t Protect Us Anymore
Mat Honan

You have a secret that can ruin your life.

It’s not a well-kept secret, either. Just a simple string of characters—maybe six of them if you’re careless, 16 if you’re cautious—that can reveal everything about you.

Your email. Your bank account. Your address and credit card number. Photos of your kids or, worse, of yourself, naked. The precise location where you’re sitting right now as you read these words. Since the dawn of the information age, we’ve bought into the idea that a password, so long as it’s elaborate enough, is an adequate means of protecting all this precious data. But in 2012 that’s a fallacy, a fantasy, an outdated sales pitch. And anyone who still mouths it is a sucker—or someone who takes you for one.

No matter how complex, no matter how unique, your passwords can no longer protect you.

Look around. Leaks and dumps—hackers breaking into computer systems and releasing lists of usernames and passwords on the open web—are now regular occurrences. The way we daisy-chain accounts, with our email address doubling as a universal username, creates a single point of failure that can be exploited with devastating results. Thanks to an explosion of personal information being stored in the cloud, tricking customer service agents into resetting passwords has never been easier. All a hacker has to do is use personal information that’s publicly available on one service to gain entry into another.

This summer, hackers destroyed my entire digital life in the span of an hour. My Apple, Twitter, and Gmail passwords were all robust—seven, 10, and 19 characters, respectively, all alphanumeric, some with symbols thrown in as well—but the three accounts were linked, so once the hackers had conned their way into one, they had them all. They really just wanted my Twitter handle: @mat. As a three-letter username, it’s considered prestigious. And to delay me from getting it back, they used my Apple account to wipe every one of my devices, my iPhone and iPad and MacBook, deleting all my messages and documents and every picture I’d ever taken of my 18-month-old daughter.

Since that awful day, I’ve devoted myself to researching the world of online security. And what I have found is utterly terrifying. Our digital lives are simply too easy to crack. Imagine that I want to get into your email. Let’s say you’re on AOL. All I need to do is go to the website and supply your name plus maybe the city you were born in, info that’s easy to find in the age of Google. With that, AOL gives me a password reset, and I can log in as you.

First thing I do? Search for the word “bank” to figure out where you do your online banking. I go there and click on the Forgot Password? link. I get the password reset and log in to your account, which I control. Now I own your checking account as well as your email.

This summer I learned how to get into, well, everything. With two minutes and $4 to spend at a sketchy foreign website, I could report back with your credit card, phone, and Social Security numbers and your home address. Allow me five minutes more and I could be inside your accounts for, say, Amazon, Best Buy, Hulu, Microsoft, and Netflix. With yet 10 more, I could take over your AT&T, Comcast, and Verizon. Give me 20—total—and I own your PayPal. Some of those security holes are plugged now. But not all, and new ones are discovered every day.

The common weakness in these hacks is the password. It’s an artifact from a time when our computers were not hyper-connected. Today, nothing you do, no precaution you take, no long or random string of characters can stop a truly dedicated and devious individual from cracking your account. The age of the password has come to an end; we just haven’t realized it yet.

Passwords are as old as civilization. And for as long as they’ve existed, people have been breaking them.

In 413 BC, at the height of the Peloponnesian War, the Athenian general Demosthenes landed in Sicily with 5,000 soldiers to assist in the attack on Syracusae. Things were looking good for the Greeks. Syracusae, a key ally of Sparta, seemed sure to fall.

But during a chaotic nighttime battle at Epipole, Demosthenes’ forces were scattered, and while attempting to regroup they began calling out their watchword, a prearranged term that would identify soldiers as friendly. The Syracusans picked up on the code and passed it quietly through their ranks. At times when the Greeks looked too formidable, the watchword allowed their opponents to pose as allies. Employing this ruse, the undermatched Syracusans decimated the invaders, and when the sun rose, their cavalry mopped up the rest. It was a turning point in the war.

The first computers to use passwords were likely those in MIT’s Compatible Time-Sharing System, developed in 1961. To limit the time any one user could spend on the system, CTSS used a login to ration access. It only took until 1962 when a PhD student named Allan Scherr, wanting more than his four-hour allotment, defeated the login with a simple hack: He located the file containing the passwords and printed out all of them. After that, he got as much time as he wanted.

During the formative years of the web, as we all went online, passwords worked pretty well. This was due largely to how little data they actually needed to protect. Our passwords were limited to a handful of applications: an ISP for email and maybe an ecommerce site or two. Because almost no personal information was in the cloud—the cloud was barely a wisp at that point—there was little payoff for breaking into an individual’s accounts; the serious hackers were still going after big corporate systems.

So we were lulled into complacency. Email addresses morphed into a sort of universal login, serving as our username just about everywhere. This practice persisted even as the number of accounts—the number of failure points—grew exponentially. Web-based email was the gateway to a new slate of cloud apps. We began banking in the cloud, tracking our finances in the cloud, and doing our taxes in the cloud. We stashed our photos, our documents, our data in the cloud.

Eventually, as the number of epic hacks increased, we started to lean on a curious psychological crutch: the notion of the “strong” password. It’s the compromise that growing web companies came up with to keep people signing up and entrusting data to their sites. It’s the Band-Aid that’s now being washed away in a river of blood.

Every security framework needs to make two major trade-offs to function in the real world. The first is convenience: The most secure system isn’t any good if it’s a total pain to access. Requiring you to remember a 256-character hexadecimal password might keep your data safe, but you’re no more likely to get into your account than anyone else. Better security is easy if you’re willing to greatly inconvenience users, but that’s not a workable compromise.

The second trade-off is privacy. If the whole system is designed to keep data secret, users will hardly stand for a security regime that shreds their privacy in the process. Imagine a miracle safe for your bedroom: It doesn’t need a key or a password. That’s because security techs are in the room, watching it 24/7, and they unlock the safe whenever they see that it’s you. Not exactly ideal. Without privacy, we could have perfect security, but no one would accept a system like that.

For decades now, web companies have been terrified by both trade-offs. They have wanted the act of signing up and using their service to seem both totally private and perfectly simple—the very state of affairs that makes adequate security impossible. So they’ve settled on the strong password as the cure. Make it long enough, throw in some caps and numbers, tack on an exclamation point, and everything will be fine.

But for years it hasn’t been fine. In the age of the algorithm, when our laptops pack more processing power than a high-end workstation did a decade ago, cracking a long password with brute force computation takes just a few million extra cycles. That’s not even counting the new hacking techniques that simply steal our passwords or bypass them entirely—techniques that no password length or complexity can ever prevent. The number of data breaches in the US increased by 67 percent in 2011, and each major breach is enormously expensive: After Sony’s PlayStation account database was hacked in 2011, the company had to shell out $171 million to rebuild its network and protect users from identity theft. Add up the total cost, including lost business, and a single hack can become a billion-dollar catastrophe.


A Password Hacker in Action

The following is from a January 2012 live chat between Apple online support and a hacker posing as Brian—a real Apple customer. The hacker’s goal: resetting the password and taking over the account.

Apple: Can you answer a question from the account? Name of your best friend?

Hacker: I think that is “Kevin” or “Austin” or “Max.”

Apple: None of those answers are correct. Do you think you may have entered last names with the answer?

Hacker: I might have, but I don’t think so. I’ve provided the last 4, is that not enough?

Apple: The last four of the card are incorrect. Do you have another card?

Hacker: Can you check again? I’m looking at my Visa here, the last 4 is “5555.”

Apple: Yes, I have checked again. 5555 is not what is on the account. Did you try to reset online and choose email authentication?

Hacker: Yes, but my email has been hacked. I think the hacker added a credit card to the account, as many of my accounts had the same thing happen to them.

Apple: You want to try the first and last name for the best friend question?

Hacker: Be right back. The chicken is burning, sorry. One second.

Apple: OK.

Hacker: Here, I’m back. I think the answer might be Chris? He’s a good friend.

Apple: I am sorry, Brian, but that answer is incorrect.

Hacker: Christopher Aylsworth is the full name. Another possibility is Raymond McAlister.

Apple: Both of those are incorrect as well.

Hacker: I’m just gonna list off some friends that might be haha. Brian Coca. Bryan Yount. Steven May.

Apple: How about this. Give me the name of one of your custom mail folders.

Hacker: “Google” “Gmail” “Apple” I think. I’m a programmer at Google.

Apple: OK, “Apple” is correct. Can I have an alternate email address for you?

Hacker: The alternate email I used when I made the account?

Apple: I will need an email address to send you the password reset.

Hacker: Can you send it to “toe@aol.com”?

Apple: The email has been sent.

Hacker: Thanks!


How do our online passwords fall? In every imaginable way: They’re guessed, lifted from a password dump, cracked by brute force, stolen with a keylogger, or reset completely by conning a company’s customer support department.

Let’s start with the simplest hack: guessing. Carelessness, it turns out, is the biggest security risk of all. Despite years of being told not to, people still use lousy, predictable passwords. When security consultant Mark Burnett compiled a list of the 10,000 most common passwords based on easily available sources (like passwords dumped online by hackers and simple Google searches), he found the number one password people used was, yes, “password.” The second most popular? The number 123456. If you use a dumb password like that, getting into your account is trivial. Free software tools with names like Cain and Abel or John the Ripper automate password-cracking to such an extent that, very literally, any idiot can do it. All you need is an Internet connection and a list of common passwords—which, not coincidentally, are readily available online, often in database-friendly formats.

What’s shocking isn’t that people still use such terrible passwords. It’s that some companies continue to allow it. The same lists that can be used to crack passwords can also be used to make sure no one is able to choose those passwords in the first place. But saving us from our bad habits isn’t nearly enough to salvage the password as a security mechanism.

Our other common mistake is password reuse. During the past two years, more than 280 million “hashes” (i.e., encrypted but readily crackable passwords) have been dumped online for everyone to see. LinkedIn, Yahoo, Gawker, and eHarmony all had security breaches in which the usernames and passwords of millions of people were stolen and then dropped on the open web. A comparison of two dumps found that 49 percent of people had reused usernames and passwords between the hacked sites.

“Password reuse is what really kills you,” says Diana Smetters, a software engineer at Google who works on authentication systems. “There is a very efficient economy for exchanging that information.” Often the hackers who dump the lists on the web are, relatively speaking, the good guys. The bad guys are stealing the passwords and selling them quietly on the black market. Your login may have already been compromised, and you might not know it—until that account, or another that you use the same credentials for, is destroyed.

Hackers also get our passwords through trickery. The most well-known technique is phishing, which involves mimicking a familiar site and asking users to enter their login information. Steven Downey, CTO of Shipley Energy in Pennsylvania, described how this technique compromised the online account of one of his company’s board members this past spring. The executive had used a complex alphanumeric password to protect her AOL email. But you don’t need to crack a password if you can persuade its owner to give it to you freely.

The hacker phished his way in: He sent her an email that linked to a bogus AOL page, which asked for her password. She entered it. After that he did nothing. At first, that is. The hacker just lurked, reading all her messages and getting to know her. He learned where she banked and that she had an accountant who handled her finances. He even learned her electronic mannerisms, the phrases and salutations she used. Only then did he pose as her and send an email to her accountant, ordering three separate wire transfers totaling roughly $120,000 to a bank in Australia. Her bank at home sent $89,000 before the scam was detected.

An even more sinister means of stealing passwords is to use malware: hidden programs that burrow into your computer and secretly send your data to other people. According to a Verizon report, malware attacks accounted for 69 percent of data breaches in 2011. They are epidemic on Windows and, increasingly, Android. Malware works most commonly by installing a keylogger or some other form of spyware that watches what you type or see. Its targets are often large organizations, where the goal is not to steal one password or a thousand passwords but to access an entire system.

One devastating example is ZeuS, a piece of malware that first appeared in 2007. Clicking a rogue link, usually from a phishing email, installs it on your computer. Then, like a good human hacker, it sits and waits for you to log in to an online banking account somewhere. As soon as you do, ZeuS grabs your password and sends it back to a server accessible to the hacker. In a single case in 2010, the FBI helped apprehend five individuals in the Ukraine who had employed ZeuS to steal $70 million from 390 victims, primarily small businesses in the US.

Targeting such companies is actually typical. “Hackers are increasingly going after small businesses,” says Jeremy Grant, who runs the Department of Commerce’s National Strategy for Trusted Identities in Cyberspace. Essentially, he’s the guy in charge of figuring out how to get us past the current password regime. “They have more money than individuals and less protection than large corporations.”

If our problems with passwords ended there, we could probably save the system. We could ban dumb passwords and discourage reuse. We could train people to outsmart phishing attempts. (Just look closely at the URL of any site that asks for a password.) We could use antivirus software to root out malware.

But we’d be left with the weakest link of all: human memory. Passwords need to be hard in order not to be routinely cracked or guessed. So if your password is any good at all, there’s a very good chance you’ll forget it—especially if you follow the prevailing wisdom and don’t write it down. Because of that, every password-based system needs a mechanism to reset your account. And the inevitable trade-offs (security versus privacy versus convenience) mean that recovering a forgotten password can’t be too onerous. That’s precisely what opens your account to being easily overtaken via social engineering. Although “socialing” was responsible for just 7 percent of the hacking cases that government agencies tracked last year, it raked in 37 percent of the total data stolen.

Socialing is how my Apple ID was stolen this past summer. The hackers persuaded Apple to reset my password by calling with details about my address and the last four digits of my credit card. Because I had designated my Apple mailbox as a backup address for my Gmail account, the hackers could reset that too, deleting my entire account—eight years’ worth of email and documents—in the process. They also posed as me on Twitter and posted racist and antigay diatribes there.


How to Survive the Password Apocalypse

Until we figure out a better system for protecting our stuff online, here are four mistakes you should never make—and four moves that will make your accounts harder (but not impossible) to crack.—M.H.

DON’T

• Reuse passwords. If you do, a hacker who gets just one of your accounts will own them all.
• Use a dictionary word as your password. If you must, then string several together into a pass phrase.
• Use standard number substitutions. Think “P455w0rd” is a good password? N0p3! Cracking tools now have those built in.
• Use a short password—no matter how weird. Today’s processing speeds mean that even passwords like “h6!r$q” are quickly crackable. Your best defense is the longest possible password.

DO

• Enable two-factor authentication when offered. When you log in from a strange location, a system like this will send you a text message with a code to confirm. Yes, that can be cracked, but it’s better than nothing.
• Give bogus answers to security questions. Think of them as a secondary password. Just keep your answers memorable. My first car? Why, it was a “Camper Van Beethoven Freaking Rules.”
• Scrub your online presence. One of the easiest ways to hack into an account is through your email and billing address information. Sites like Spokeo and WhitePages.com offer opt-out mechanisms to get your information removed from their databases.
• Use a unique, secure email address for password recoveries. If a hacker knows where your password reset goes, that’s a line of attack. So create a special account you never use for communications. And make sure to choose a username that isn’t tied to your name—like m****n@wired.com—so it can’t be easily guessed.


After my story set off a wave of publicity, Apple changed its practices: It temporarily quit issuing password resets over the phone. But you could still get one online. And so a month later, a different exploit was used against New York Times technology columnist David Pogue. This time the hackers were able to reset his password online by getting past his “security questions.”

You know the drill. To reset a lost login, you need to supply answers to questions that (supposedly) only you know. For his Apple ID, Pogue had picked (1) What was your first car? (2) What is your favorite model of car? and (3) Where were you on January 1, 2000? Answers to the first two were available on Google: He had written that a Corolla had been his first car, and had recently sung the praises of his Toyota Prius. The hackers just took a wild guess on the third question. It turns out that at the dawn of the new millennium, David Pogue, like the rest of the world, was at a “party.”

With that, the hackers were in. They dove into his address book (he’s pals with magician David Blaine!) and locked him out of his kitchen iMac.

OK, you might think, but that could never happen to me: David Pogue is Internet- famous, a prolific writer for the major media whose every brain wave goes online. But have you thought about your LinkedIn account? Your Facebook page? Your kids’ pages or your friends’ or family’s? If you have a serious web presence, your answers to the standard questions—still often the only options available—are trivial to root out. Your mother’s maiden name is on Ancestry.com, your high school mascot is on Classmates, your birthday is on Facebook, and so is your best friend’s name—even if it takes a few tries.

The ultimate problem with the password is that it’s a single point of failure, open to many avenues of attack. We can’t possibly have a password-based security system that’s memorable enough to allow mobile logins, nimble enough to vary from site to site, convenient enough to be easily reset, and yet also secure against brute-force hacking. But today that’s exactly what we’re banking on—literally.

Who is doing this? Who wants to work that hard to destroy your life? The answer tends to break down into two groups, both of them equally scary: overseas syndicates and bored kids.

The syndicates are scary because they’re efficient and wildly prolific. Malware and virus-writing used to be something hobbyist hackers did for fun, as proofs of concept. Not anymore. Sometime around the mid-2000s, organized crime took over. Today’s virus writer is more likely to be a member of the professional criminal class operating out of the former Soviet Union than some kid in a Boston dorm room. There’s a good reason for that: money.

Given the sums at stake—in 2011 Russian-speaking hackers alone took in roughly $4.5 billion from cybercrime—it’s no wonder that the practice has become organized, industrialized, and even violent. Moreover, they are targeting not just businesses and financial institutions but individuals too. Russian cybercriminals, many of whom have ties to the traditional Russian mafia, took in tens of millions of dollars from individuals last year, largely by harvesting online banking passwords through phishing and malware schemes. In other words, when someone steals your Citibank password, there’s a good chance it’s the mob.

But teenagers are, if anything, scarier, because they’re so innovative. The groups that hacked David Pogue and me shared a common member: a 14-year-old kid who goes by the handle “Dictate.” He isn’t a hacker in the traditional sense. He’s just calling companies or chatting with them online and asking for password resets. But that does not make him any less effective. He and others like him start by looking for information about you that’s publicly available: your name, email, and home address, for example, which are easy to get from sites like Spokeo and WhitePages.com. Then he uses that data to reset your password in places like Hulu and Netflix, where billing information, including the last four digits of your credit card number, is kept visibly on file. Once he has those four digits, he can get into AOL, Microsoft, and other crucial sites. Soon, through patience and trial and error, he’ll have your email, your photos, your files—just as he had mine.

Why do kids like Dictate do it? Mostly just for lulz: to fuck shit up and watch it burn. One favorite goal is merely to piss off people by posting racist or otherwise offensive messages on their personal accounts. As Dictate explains, “Racism invokes a funnier reaction in people. Hacking, people don’t care too much. When we jacked @jennarose3xo”—aka Jenna Rose, an unfortunate teen singer whose videos got widely hate-watched in 2010—”I got no reaction from just tweeting that I jacked her stuff. We got a reaction when we uploaded a video of some black guys and pretended to be them.” Apparently, sociopathy sells.

A lot of these kids came out of the Xbox hacking scene, where the networked competition of gamers encouraged kids to learn cheats to get what they wanted. In particular they developed techniques to steal so-called OG (original gamer) tags—the simple ones, like Dictate instead of Dictate27098—from the people who’d claimed them first. One hacker to come out of that universe was “Cosmo,” who was one of the first to discover many of the most brilliant socialing exploits out there, including those used on Amazon and PayPal. (“It just came to me,” he said with pride when I met him a few months ago at his grandmother’s house in southern California.) In early 2012, Cosmo’s group, UGNazi, took down sites ranging from Nasdaq to the CIA to 4chan. It obtained personal information about Michael Bloomberg, Barack Obama, and Oprah Winfrey. When the FBI finally arrested this shadowy figure in June, they found that he was just 15 years old; when he and I met a few months later, I had to drive.

It’s precisely because of the relentless dedication of kids like Dictate and Cosmo that the password system cannot be salvaged. You can’t arrest them all, and even if you did, new ones would keep growing up. Think of the dilemma this way: Any password-reset system that will be acceptable to a 65-year-old user will fall in seconds to a 14-year-old hacker.

For the same reason, many of the silver bullets that people imagine will supplement—and save—passwords are vulnerable as well. For example, last spring hackers broke into the security company RSA and stole data relating to its SecurID tokens, supposedly hack-proof devices that provide secondary codes to accompany passwords. RSA never divulged just what was taken, but it’s widely believed that the hackers got enough data to duplicate the numbers the tokens generate. If they also learned the tokens’ device IDs, they’d be able to penetrate the most secure systems in corporate America.

On the consumer side, we hear a lot about the magic of Google’s two-factor authentication for Gmail. It works like this: First you confirm a mobile phone number with Google. After that, whenever you try to log in from an unfamiliar IP address, the company sends an additional code to your phone: the second factor. Does this keep your account safer? Absolutely, and if you’re a Gmail user, you should enable it this very minute. Will a two-factor system like Gmail’s save passwords from obsolescence? Let me tell you about what happened to Matthew Prince.

This past summer UGNazi decided to go after Prince, CEO of a web performance and security company called CloudFlare. They wanted to get into his Google Apps account, but it was protected by two-factor. What to do? The hackers hit his AT&T cell phone account. As it turns out, AT&T uses Social Security numbers essentially as an over-the-phone password. Give the carrier those nine digits—or even just the last four—along with the name, phone number, and billing address on an account and it lets anyone add a forwarding number to any account in its system. And getting a Social Security number these days is simple: They’re sold openly online, in shockingly complete databases.

Prince’s hackers used the SSN to add a forwarding number to his AT&T service and then made a password-reset request with Google. So when the automated call came in, it was forwarded to them. Voilà—the account was theirs. Two-factor just added a second step and a little expense. The longer we stay on this outdated system—the more Social Security numbers that get passed around in databases, the more login combinations that get dumped, the more we put our entire lives online for all to see—the faster these hacks will get.

The age of the password has come to an end; we just haven’t realized it yet. And no one has figured out what will take its place. What we can say for sure is this: Access to our data can no longer hinge on secrets—a string of characters, 10 strings of characters, the answers to 50 questions—that only we’re supposed to know. The Internet doesn’t do secrets. Everyone is a few clicks away from knowing everything.

Instead, our new system will need to hinge on who we are and what we do: where we go and when, what we have with us, how we act when we’re there. And each vital account will need to cue off many such pieces of information—not just two, and definitely not just one.

This last point is crucial. It’s what’s so brilliant about Google’s two-factor authentication, but the company simply hasn’t pushed the insight far enough. Two factors should be a bare minimum. Think about it: When you see a man on the street and think it might be your friend, you don’t ask for his ID. Instead, you look at a combination of signals. He has a new haircut, but does that look like his jacket? Does his voice sound the same? Is he in a place he’s likely to be? If many points don’t match, you wouldn’t believe his ID; even if the photo seemed right, you’d just assume it had been faked.

And that, in essence, will be the future of online identity verification. It may very well include passwords, much like the IDs in our example. But it will no longer be a password-based system, any more than our system of personal identification is based on photo IDs. The password will be just one token in a multifaceted process. Jeremy Grant of the Department of Commerce calls this an identity ecosystem.

What about biometrics? After watching lots of movies, many of us would like to think that a fingerprint reader or iris scanner could be what passwords used to be: a single-factor solution, an instant verification. But they both have two inherent problems. First, the infrastructure to support them doesn’t exist, a chicken-or-egg issue that almost always spells death for a new technology. Because fingerprint readers and iris scanners are expensive and buggy, no one uses them, and because no one uses them, they never become cheaper or better.

The second, bigger problem is also the Achilles’ heel of any one-factor system: A fingerprint or iris scan is a single piece of data, and single pieces of data will be stolen. Dirk Balfanz, a software engineer on Google’s security team, points out that passcodes and keys can be replaced, but biometrics are forever: “It’s hard for me to get a new finger if my print gets lifted off a glass,” he jokes. While iris scans look groovy in the movies, in the age of high-definition photography, using your face or your eye or even your fingerprint as a one-stop verification just means that anyone who can copy it can also get in.

Does that sound far-fetched? It’s not. Kevin Mitnick, the fabled social engineer who spent five years in prison for his hacking heroics, now runs his own security company, which gets paid to break into systems and then tell the owners how it was done. In one recent exploit, the client was using voice authentication. To get in, you had to recite a series of randomly generated numbers, and both the sequence and the speaker’s voice had to match. Mitnick called his client and recorded their conversation, tricking him into using the numbers zero through nine in conversation. He then split up the audio, played the numbers back in the right sequence, and—presto.

None of this is to say that biometrics won’t play a crucial role in future security systems. Devices might require a biometric confirmation just to use them. (Android phones can already pull this off, and given Apple’s recent purchase of mobile-biometrics firm AuthenTec, it seems a safe bet that this is coming to iOS as well.) Those devices will then help to identify you: Your computer or a remote website you’re trying to access will confirm a particular device. Already, then, you’ve verified something you are and something you have. But if you’re logging in to your bank account from an entirely unlikely place—say, Lagos, Nigeria—then you may have to go through a few more steps. Maybe you’ll have to speak a phrase into the microphone and match your voiceprint. Maybe your phone’s camera snaps a picture of your face and sends it to three friends, one of whom has to confirm your identity before you can proceed.

In many ways, our data providers will learn to think somewhat like credit card companies do today: monitoring patterns to flag anomalies, then shutting down activity if it seems like fraud. “A lot of what you’ll see is that sort of risk analytics,” Grant says. “Providers will be able to see where you’re logging in from, what kind of operating system you’re using.”

Google is already pushing in this direction, going beyond two-factor to examine each login and see how it relates to the previous one in terms of location, device, and other signals the company won’t disclose. If it sees something aberrant, it will force a user to answer questions about the account. “If you can’t pass those questions,” Smetters says, “we’ll send you a notification and tell you to change your password—because you’ve been owned.”

The other thing that’s clear about our future password system is which trade-off—convenience or privacy—we’ll need to make. It’s true that a multifactor system will involve some minor sacrifices in convenience as we jump through various hoops to access our accounts. But it will involve far more significant sacrifices in privacy. The security system will need to draw upon your location and habits, perhaps even your patterns of speech or your very DNA.

We need to make that trade-off, and eventually we will. The only way forward is real identity verification: to allow our movements and metrics to be tracked in all sorts of ways and to have those movements and metrics tied to our actual identity. We are not going to retreat from the cloud—to bring our photos and email back onto our hard drives. We live there now. So we need a system that makes use of what the cloud already knows: who we are and who we talk to, where we go and what we do there, what we own and what we look like, what we say and how we sound, and maybe even what we think.

That shift will involve significant investment and inconvenience, and it will likely make privacy advocates deeply wary. It sounds creepy. But the alternative is chaos and theft and yet more pleas from “friends” in London who have just been mugged. Times have changed. We’ve entrusted everything we have to a fundamentally broken system. The first step is to acknowledge that fact. The second is to fix it.
http://www.wired.com/gadgetlab/2012/...ssword-hacker/





How Dead Is the Book Business?
Adam Davidson

When you see a merger between two giants in a declining industry, it can look like the financial version of a couple having a baby to save a marriage. At least that was my thought when Random House and Penguin, two of the world’s six largest publishers, announced that they were coming together last month. Ever since Amazon began ripping apart the book business, the largest houses have been looking for a way to fight back. If this merger is any indication, they have chosen an old-fashioned strategy: Size.

A combined Penguin-Random House, which would control a quarter of the global book market, is a conglomerate designed to take on another giant, though it’s not exactly a fair fight. Because the new entity will only have about a twelfth of Amazon’s annual sales, most observers expect that this is just the beginning of a series of mergers — like those in the music business — that will take the Big Six publishers down to the Big Three and perhaps one day even the Big One. As John Makinson, Penguin’s chief executive, told The Times, “We decided it was better to get in early rather than be a follower.” The question is whether this strategy will work.

There are two competing predictions about commerce in the digital age. One is that companies will get smaller and more disruptive as nimble entrepreneurs can take on giant corporations with little more than 3-D printers and Web sites. The other envisions a few massive companies — like Procter & Gamble, Apple and Nike — that design everything themselves, have it manufactured cheaply in Asia and use their e-commerce sites to gather information about their customers. Nearly the exact same conflict occurred more than a century ago in the decade that straddled 1900, which was also a period of rapid technological change. In just a few years, 1,800 small companies were swallowed up as the electrical-power, telephone, auto, steel and chemical industries grew from patchworks of tiny companies into conglomerates. In “The Great Merger Movement in American Business 1895-1904,” the Yale economist and historian Naomi Lamoreaux wrote that back then everyone worried about the same thing that authors, editors and book buyers worry about now: Are large companies good for the economy? Do they grow through efficiency and innovation or by abusing their leverage?

Lamoreaux found that they did both, and many turn-of-the-century examples suggest what might happen to Penguin-Random and others. On one end of the spectrum, Lamoreaux told me, was U.S. Steel. Its predecessor companies competed by finding new ways of making steel at ever-lower prices. But after J. P. Morgan merged three companies into one behemoth, he discovered a better way to profit. Because all steel producers bought iron ore from the Mesabi Range in Minnesota, U.S. Steel bought most of the range and locked much of the rest of it in long-term contracts. As a result, the company hardly worried about competition; it had little need to innovate or compete on price, which made everything from cars to soda cans more expensive. Worse, it left a massive industry unprepared for the growth of innovative Asian companies during the 1970s and 1980s. By then, U.S. Steel all but collapsed, and a chunk of the U.S. economy went down with it.

Sears & Roebuck, on the other end, “grew by solving market and technical problems,” Lamoreaux said, and, as it solved them, its market share increased. Unable to monopolize anything like iron ore, Sears needed to innovate to stay ahead. Through constant competition with Montgomery Ward and others, it adopted new strategies that ultimately benefited its customers. When the company got into trouble, closed stores and was bought in 2005 by a struggling competitor, Kmart, the retail industry was robust enough that the overall economy barely noticed.

The future of book publishing is somewhere between the two poles. Oddly enough, it seems to mirror what happened to the envelope business. In the early 1900s the envelope industry was large enough to support several big companies. Then the mergers started, and an industry of numerous small companies became two giants. Eventually, the envelope industry wasn’t large enough to sustain itself, and the companies became tiny divisions of larger conglomerates. U.S. Envelope still lives as a small part of the packaging manufacturer MeadWestvaco. American Envelope was bought by Cenveo, a business-stationery company whose chief executive, Robert G. Burton Sr., made clear that the century of mergers and buyouts is not over. “We’ve had people knocking on the door,” he told shareholders in August.

This kind of consolidation started in publishing long before the Penguin-Random merger. Random House, an arm of the media company Bertelsmann in Germany, is itself made up of former independents like Knopf and Pantheon. Penguin, a division of the education publisher Pearson, contains Dutton, Viking and others. If market forces were the only concern, it’s possible that there would soon be only one or two publishers and that they might be folded into some larger infotainment company like Time Warner Penguin or maybe Random Viacom. There would still be books — just not large book companies.

Every analysis I’ve read of the Penguin-Random House merger mentions the inevitable scrutiny of the antitrust lawyers at the Department of Justice, who are eager to prevent any potential monopoly in publishing. But it’s difficult to imagine how, in the digital world, publishers could ever monopolize the sale of written material. Even if there were only one house left, it would compete with every blogger and self-published e-book author. Eventually, it’s likely that book publishing will embody both conflicting visions of digital-age commerce — lots of small businesses and a few massive ones that handle big-ticket items.

History suggests that the antitrust lawyers should be more concerned about government-issued patents, which allow large corporations to buy up vaguely worded deeds that can be used to sue upstarts out of existence. This is the iron ore of the digital age and many large companies are gobbling up as many patents as they can. Reuters recently reported that Amazon (which somehow holds a patent for the “one-click shopping” button) was hiring several high-profile patent lawyers with the mandate to “identify and evaluate strategic I.P. acquisition and licensing opportunities.” The company has argued that it buys up patents to defend against the lawsuits of others. That may be partly true, but the worst fate for readers isn’t the merger of a few struggling companies in a diminishing business. It’s the threat of another U.S. Steel.
https://www.nytimes.com/2012/11/18/m...se-merger.html





Google Engineer Builds $1,500 Page-Turning Scanner Out of Sheet Metal and a Vacuum
Jeff Blagdon

For the past eight years, Google has been working on digitizing the world’s 130 million or so unique books. While the pace of new additions to the Google Books initiative has been slowing down, members of the team have come up with a new automated scanner design that could both make the project much more cost efficient and give everyone with $1,500 and a little know-how access to a page-turning scanner of their very own. In the video below, Google Books engineer Dany Qumsiyeh presents the prototype design that he and other teammates created during the "20 percent time" that Google (and now Apple, among others) allocates for personal projects, showing the design challenges he overcame along the way.

The scanner uses air suction from an ordinary vacuum cleaner to isolate individual pages, scanning the front and back in one pass along the device's prism-shaped body. After a quick 40-second setup, it can digitize a 1000-page book in a little over 90 minutes (although that could be easily improved with a faster motor), and unlike many popular scanners on the market it doesn’t require anyone to man the controls once it’s been set in motion. But what makes the project really intriguing is that all of the plans have been open sourced with open patents, meaning you’re free to experiment, build on Qumsiyeh’s design, and even sell derivative scanners without worrying about Google’s army of lawyers swooping down on you. With half of Qumsiyeh's $1,500 price tag being eaten up by the scanner he tore apart for parts, we'd say there's still a lot of room for optimization.
http://www.theverge.com/2012/11/13/3...ner-vacuum-diy





With Pirate Cinema, Cory Doctorow Grows His Young Hacker Army

Cory Doctorow’s new novel Pirate Cinema is set in a world where copyright enforcement has gone mad.

For Cory Doctorow, fiction and activism go hand in hand. In novels such as Little Brother and For the Win, he tells a rip-roaring story but also imparts real-world knowledge on how to evade electronic surveillance. His young-adult novel Little Brother went so far as to include a recommended reading list for aspiring hacker activists.

“The number of kids who have written to me and said that they became programmers after reading that, I couldn’t even count them,” says Doctorow in this week’s episode of the Geek’s Guide to the Galaxy podcast.

His latest young-adult novel, Pirate Cinema, is sure to inspire plenty more young hackers with its alluring tale of a band of tech-savvy anarchist runaways who attempt to take on the entertainment industry. The story tackles the issue of overzealous copyright enforcement, which has been in the news lately thanks to laws in countries such as England and Japan that prescribe harsh penalties, even jail time, for downloading copyright-protected materials.

Although Pirate Cinema presents a free-wheeling world of sex, drugs and computer crime that’s sure to appeal to many teens, the book also makes clear that the law is watching, and that there are smart ways and not-so-smart ways to buck the system.

“None of the stuff that I think of as a bad idea is presented as a good idea,” says Doctorow. “It’s just presented as the kind of thing that a 17-year-old who is really upset might do.”

Read our complete interview with Cory Doctorow below, in which he reacts to Disney acquiring Star Wars, celebrates the success of the Humble eBook Bundle, and explores the awkwardness of accidentally answering your videophone naked. Or listen to the interview in Episode 73 of the Geek’s Guide to the Galaxy podcast, which also features a discussion of sex in science fiction with hosts John Joseph Adams and David Barr Kirtley and guest geek Laura G. Duncan.

Wired: What do you think of Disney acquiring Lucasfilm?

Cory Doctorow: I’m kind of bummed about it. It just seems to me that we’ve entered this winner-take-all world where things that are a little bit successful become very successful, and then become mega-successes, and then merge with all the other mega-successes. I don’t know. It feels like the finance industry or something to me, and it seems like it’s somehow intimately related to it — this seems like a finance-driven decision rather then an artistic-driven decision, or a creative decision.

One of the things that freaks me out is that any publicly traded corporation that acquires an asset for $4 billion is going to be as risk-averse as possible about that asset. Not to say that Lucas was a real risk-taker, but I think that Disney has always been at its best when it took risks, and that one of the downsides to the increasingly high stakes associated with each individual project — you know, the businesses may have always been high-stakes businesses, but now every project is a high-stakes project — is that they’re super risk-averse.

They always end up acting like dicks. That seems like a universal outcome of having billions of dollars at stake, is that anytime anyone suggests doing anything that might have a bad outcome, your risk-management people and your lawyers come along and say, “No, you’re absolutely obliged to act like a total asshole to these people, just in case it turns out that they might cost you money down the road, because there’s so much at stake here.” It just feels like something that is just going to be about making sequels to sequels to sequels to adaptations to sequels, as opposed to inventing new cool stuff.

Wired: So now one company — Disney — owns Star Wars, Pixar and Marvel, in addition to all the Disney characters — basically the collective happy childhood memories of several generations.

Doctorow: Yeah, I’m less worried about that. I’m actually totally non-precious about that. I mean, your memories are your memories, and I’m totally unsympathetic to people who say that having seen the crappy prequels to Star Wars reduced their enjoyment of the first three. To me, the thing that actually reduced my enjoyment of Star Wars and the two sequels was just watching them as an adult instead of a kid, and I realized a lot of the things that I thought of as really interesting and great were either clichés, or that they had a superficial appeal but the more you thought about them the dumber they got.

I’m more bothered about the fact that if you look at Disney’s pattern of acquisitions, they’re acting like Procter & Gamble, they’re acting like a packaged goods company. In fact, less innovative than a packaged goods company. Basically their whole business plan is about amassing huge amounts of capital, putting it into brands — that is to say, things that have already understood audiences and understood profiles — and then doing as little as possible to upset the apple cart. In fact, I think they’re more likely to try to keep all of those things intact and to not ever upset or worry the people who grew up on them, because basically their whole approach is to maximize the amount of revenue they can get from you by continuing to spin out infinite variations on the theme of what ever it was you liked last time.

Wired: It seems like going back to Down and Out in the Magic Kingdom, you’ve had sort of a love/hate relationship with Disney. Is any of that love still there?

Doctorow: Oh yeah, absolutely. I always say with Disney that I love the sin and I hate the sinner. They produce some amazing media that I really love, as you might have gathered if you’ve read the two novels and the novella I wrote that are really about Disney parks — Down and Out in the Magic Kingdom, Makers and “There’s a Great Big Beautiful Tomorrow.” The thing that they do that I love is their dark rides. I actually think immersive automated environments are an art form. I don’t think many people take them very seriously, and I think Disney at its best has taken them more seriously than anyone in the history of the world, and that when they are taking it seriously they do an incredible job with it. I just think that the rest of their media is a lot less interesting. I continue to be totally blown away by their immersive environments — both the rides and the parks that the rides are in — but I also continue to be absolutely distressed by their legislative agenda and by other elements of their corporate culture.

Wired: You recently participated in the Humble eBook Bundle. You want to tell us about that?

Doctorow: Sure. It comes out of something called the Humble Indie Bundle, which was for videogames. When they started in 2010, there was a group of independent videogame developers who thought, if we get some of our friends together and we put together a bundle of about six videogames without any DRM, and we say to people, “You come and you name your own price, and you can also use a slider to designate some or all of the money that you give to charity,” and then we’ll add some game-like mechanics to the way that the pricing model works. For example, we’ll have a leaderboard of the top spenders. We’ll show you how people are spending by operating system. We’ll break that down in real time, so you can really see, for example, how Team Mac is performing against Team Linux, and maybe feel some team fellowship there and bid up your team, which I think worked pretty well.

And we’ll also reserve some of the videogames for people who give more than the average, which of course will continually drive the average up. And the first one of those, in 2010, did $1.25 million in the first week — they were two-week-long promotions — and closed a little over a $1.5 million. By the time they hit Humble Indie Bundle 6 in 2012 — the most recent one — they did $4.5 million in the first week and closed at nearly $5 million. And that’s pretty amazing. I mean, that’s just unheard of for games that fundamentally … you know, a decade ago we’d have called them shareware games. And to pull in 5 million bucks for half a dozen shareware games in a couple of weeks? Unheard of and just amazing. And they trade on a bunch of things. One is the bundle’s reputation for excellence. Part of it is the charitable dimension — people do like raising money for charity. And some of it is this game-like mechanic for pricing.

So they came to me because one of their nominated charities was one that I had been very closely associated with and that I used to, in fact, work for, a group called the Electronic Frontier Foundation, which is a civil rights group. They’re kind of like the ACLU of the internet. And EFF had been the beneficiary of a lot of donations from Humble Bundle, so much so that one of EFF’s employees actually left to go work for Humble, and he happened to be one of my former students, Richard Esguerra. He went to Humble, and they started talking about e-books and he got in touch with me and said, “Would you be interested in helping us do an e-book one?” And I said, “Of course.”

So I volunteered for them, and I put them together with a bunch of authors and agents, and we filled out a really amazing bundle. And actually, one of the things that I find sad but hopeful is that some of the best works that we had chosen for the bundle and that authors and agents had agreed to, the publishers vetoed. Because of all the big six publishers, only Tor would allow us to put their books in the bundle. Everyone else said without DRM they couldn’t let us do it. And that meant that we had authors who were multiple New York Times number-one bestsellers whose books we couldn’t use even though they wanted them in there.

I’ve since heard from some of those writers that they’ve gone back to their publishers and said, “No more book contracts with you until you let me get a piece of the millions of dollars that are sitting out there waiting for me if only I’m willing to sell my books in the way that my audience wants to read them, without DRM.” And since DRM doesn’t stop piracy — because all DRM is easily broken — it doesn’t make any sense to me. It seems like this is a purely ideological decision, and yet this ideology is anything but harmless. It’s costing authors potentially hundreds of thousands of dollars. And so I think that the subsequent bundles are going to be even better. We ended up raising just about $1.25 million, which is a little less but not bad relative to the first of the Humble Indie Bundles. And I really hope that we’ll follow in their trajectory, and that we’ll head up toward those same dizzying $5 million heights within a couple of years. And certainly I’d be happy to continue to curate these bundles for the gang. I had a great time doing it.

Wired: Do you see that model as the future of content distribution?

Doctorow: There’s an aspect of the Indie Bundle that’s part of the de facto reality of all digital content distribution today, which is that everybody is already naming their own price for digital media, in that it takes the same number of clicks to pirate media as it does to buy it. It’s a recurring motif among people who want to buy things that the buying process is very cumbersome. For example, for audiobooks you either have to have an account with Audible or you need to download OverDrive. No one will just shut up and take your money. Like, “Give me your credit card number, I’ll give you an MP3.”

So everybody is already naming their price, except the only two prices they are now allowed to name are “full retail” and “zero.” Nobody’s allowed to name a price in between. And so I think one of the insights of the Humble Bundle is that there actually is a pool of people who would like to name a price somewhere in between. I also think that, in a world where all payments are in some sense voluntary — in the sense that people could get it without paying for it, and the likelihood of them being caught is so small as to be indistinguishable from zero — that the strategy that we use to get money from audiences has to revolve around convincing people instead of coercing them, because we can’t coerce them. They can always choose to just opt out of the system.

All the strategies we use for convincing are pretty much the opposite of the strategies we use for coercing. Coercing only works — you only get efficiency — if you coerce people in bulk by making examples of a few transgressors. In other words, you coerce people by putting a couple of offenders’ heads on pikes and convincing people that you’re such a big, bad troll that unless they opt into the system that their heads will be up on pikes too. So that’s the opposite way that you convince them that you’re the kind of person who they should voluntarily give money to. You convince them that if they don’t give you money that you’re going to come after them tooth and nail, and that’s not acting like the kind of person that other people want to voluntarily pay.

And so whatever it is that people do in the future, it won’t necessarily be Humble Bundle or even recognizable as Humble Bundle, but some of the principles that inform the design of Humble Bundle will carry over, and those principles will include performing generosity and performing trust in a way that creates reciprocal arrangements with audiences, that creates a kind of reciprocating social contract with audiences that causes them to treat you in the way that you’ve shown them you’d like to be treated and that you’re prepared to treat them.

Wired: Speaking of going after people tooth and nail, that brings us to your new novel, Pirate Cinema. What’s that about?

Doctorow: Pirate Cinema was inspired by a legislative event in the United Kingdom where I live. In 2009 they introduced legislation called the Digital Economy Act, which includes something called “three strikes,” which says that if you’re accused — without proof — of three acts of copyright infringement, you and your family get disconnected from the internet.

This legislation was introduced right around the same time we had a report from our champion for digital inclusion, a woman named Martha Lane Fox, whose government posting is to make sure that everybody in the country has access to the internet. She commissioned a Price Waterhouse Cooper study into a follow-up of a trial program where people who lived in government housing — in very vulnerable populations in the north, where the local economy and industry have collapsed — they followed it up to see what happened when those people were given internet access and compared them to their neighbors who hadn’t been given internet access, so they had a naturally occurring control population experiment that they could use to analyze the impact of internet access.

They found that these people who had been given internet access, that everything we use to measure the quality of life went up for them. Their kids not only got better grades, but they were more likely to go on to post-secondary education and to be socially mobile. The parents got better jobs and had more disposable income, and so there was better nutrition, and their health outcomes were better. They were less socially isolated, they were more civically engaged, and more politically engaged. Really the whole raft of human experience improves when you give people internet access, so it follows that when you take away people’s internet access, you confiscate those benefits too.

It’s bad enough to say, “If you watch TV the wrong way we’re going to take away your access to civic engagement, education, employment and health.” But it’s even worse to say, “If you live in the same house as someone who is the named subscriber for a DSL modem that has been accused — without proof — of being involved in someone — possibly not even someone who lives in your house — watching TV the wrong way, we’re going to take away all these benefits.” This was just wildly disproportionate and really just evil.

It passed without debate because they snuck it into the final session of Parliament, just before they dissolved the Parliament for the election. And it had passed in other countries in the same way. In New Zealand, the way that they passed it was as a rider to the Christchurch earthquake bailout, the bill that was passed to free up resources to help save the people dying in the rubble of Christchurch. They snuck it in there.

This made me so furious that I decided I would write a book about it. So I wrote this novel called Pirate Cinema, and it’s about a kid who lives in one of these northern towns, these rust belt towns, a town called Bradford that was once the center of the textiles industry. His name is Trent, but he calls himself “Cecil B. DeVil” after Cecil B. DeMille the movie producer, because he makes movies. But he doesn’t make movies the way they did in Spielberg‘s era, where they had Super 8 cameras, like that Spielberg movie. He doesn’t make them the way they did in my boyhood, with VHS cameras. He makes them the way that you can if you’re a kid in the 21st century, namely by downloading other people’s movies and re-cutting them, and making new movies out of them.

And he’s very good at it, and it totally consumes him, and people love what he does and it’s very popular, and like many consumed, passionate adolescents, he gets careless, and he forgets to use the proxy that hides his internet identity from the snoopers that are used to catch pirates and disconnect them. And so his family gets disconnected, and his dad loses his job, and his mom loses her disability benefits, and his sister can no longer get the grades that she was getting and probably won’t make it into university, and so he’s really effectively destroyed his family.

And he runs away to London, the way the hero of so many British novels do, and he joins a gang — a kind of “ha ha only serious” youth gang of anarchist freegan squatters — who make their own movies and show them in underground movie theaters, not just “underground” in the sense that they are all on the down low, and you have to know who to ask, and it’s all with a wink in a nudge, but “underground” in the sense that they break into beautiful vaulted brick Victorian sewers and turn them into cinemas — pirate cinemas — and these screenings become a citywide and then a nationwide phenomenon — everyone’s doing them, everyone’s making their own movies.

But even though they think that they can no longer engage with the law, that they can just ignore the law, what they discover is that just because they’re not interested in the law doesn’t mean that the law won’t take an interest in them, and very soon the law’s gotten much worse, to the point where people are going to jail just for downloading. When I wrote that, that was science fiction, but two or three weeks ago Japan passed legislation which says that if you download copyright-infringing material, you can go to jail for two years. Which effectively means that if you click the wrong link on YouTube, you go to prison. Japan also provides for 10 years in prison if you upload copyright-infringing material.

And so as these laws get worse, Trent and his friends decide that what they’re going to do is actually prevent new laws from being passed, and that the way that they’re going to do that is by bankrupting the entertainment industry with systematic piracy. So rather than just pirating things in a slapdash way, they’re going to pirate the things that cost the movie industry as much money as possible. So when new movies open, they’re walking up and down the ticket line in Leicester Square — which is kind of our answer to Times Square — and walking up to people in line to buy the ticket to the premiere screening, and they are handing them SD cards with copies of the movie on it, and a note that says, “If you buy a ticket, they’re just going to use the money to screw up our country. Here’s a copy of the movie, go watch it at home, make your own mixes, and come show them at one of our showings.” And, you know, jailarity ensues, because clearly the entertainment industry isn’t going to take that lying down, and that’s when the novel really starts to kick off.

Wired: And I understand that these underground showings are an actual phenomenon, and you attended some of them?

Doctorow: Yeah, there are underground showings, the pirate cinema movement is real, and I was in a pirate cinema in a squatted pub in East London, much like Zeroday, the pub that Trent and his friends live in. One of the people who lived there, Jamie King — who founded a novel distribution company called Vodo that distributes science fiction movies online — he actually was a great source for information on the ins and outs of squatting in London, and some of the stories of what happens to these squatters were taken right from his life story.

Wired: So this is a book that could be seen as glorifying teenage runaways, premarital sex, trespassing, recreational drug use and computer crimes. Did you get any pushback on that, or have any misgivings about including any of that?

Doctorow: I certainly haven’t had any pushback. This is a book about a kid who lives in an unjust society and who tries a variety of strategies to deal with it — some of them smart, some of them not smart — and in some cases doing the not-smart thing ends up getting him into a lot of trouble, which I think is true to life, and in the spirit of a lot of good young-adult literature. So I’m not at all bothered about it. Some of it is presented as romantic, but none of the stuff that I think of as a bad idea is presented as a good idea. It’s just presented as the kind of thing that a 17-year-old who is really upset might do.

Wired: Do you ever get letters from kids who have been inspired by your books to become hacker anarchists?

Doctorow: Yeah, all the time — at least to become hackers, and political activists. My first young-adult novel Little Brother had an afterword with a bibliography for kids who want to get involved in learning how security works, learning how computers work, learning how to program them, learning how to take them apart, learning how to solve their problems with technology as well as with politics. And the number of kids who have written to me and said that they became programmers after reading that, I couldn’t even count them. I’ve had similar responses to my second young-adult novel, For the Win, and I’ve also heard from kids who’ve read Pirate Cinema. In fact, we published an editorial by one of them on Boing Boing — an anonymous reader who makes her own movies out of Japanese anime, and who talked about what drives her and how the book resonated with her.

Wired: Do any of those fans have websites?

Doctorow: For Little Brother, if you go to craphound.com/littlebrother and just click on the remixes tab, there’s a whole ton of these that I’ve collected over the years.

Wired: So in Pirate Cinema, the protagonist Trent writes, “I realized that the press always asks the same questions, so I’d just plop down on the sofa with my laptop and my headset and take the call while Jem fed me so much jet fuel it was a race to see whether I could finish the interview before I attained lift off and sailed into gabbling, babbling coffee orbit.” Is that how you actually do interviews?

Doctorow: [laughs] A little bit. I mean, my friend Steve Gould, who wrote the novel Jumper, which became the not-very-good movie Jumper, went on a press tour when the movie came out, and he’s said the reason it’s called a “press” tour is because it’s like being pressed between two boards. And it is true that most of the questions are the same, but I don’t mind answering them because I find that talking about the stuff helps me think it through. It’s a productive task for me.

I do actually really dislike writing out the same answers over and over again. For some reason, typing the same block of text twice feels remarkably wasteful in a way that saying the same thing twice doesn’t. Maybe because if you say it a lot it gets better, because you can inflect it better, and you can practice it. Whereas if you type the same thing over and over again, I don’t think you get better at it. I mean, maybe you get better at typing, but you don’t get better at expressing the underlying ideas.

So I’ve often thought that what I might do for the so-called e-mail interviews — which I just hate, I hate the kind of “Well, I’ve just got a few quick questions for you,” and the quick questions are questions that are quick to type but not quick to respond to, like “What is art?” or “What is virtue?” or “How should the world be governed?” I mean, that is a very quick question, but not necessarily a quick question to answer.

I’ve often thought that what I might do is take all the questions I’ve been asked before in writing and just post them on a public page, and whenever anyone asks to e-mail interview me, say, “You may ask me two questions that aren’t in this list. You can use this list as much as you like, and you can ask me two more, but with the understanding that as soon as I answer them for you, I’m going to add them to that page.” Because it just seems to me that a lot of e-mail interviews, the real underlying pitch is, “Will you write me five short essays that I can publish under my byline?”

Wired: Well, and what you just described is what Trent does in the novel.

Doctorow: Yeah, well, if it’s a good idea in real life, it’s a good idea to beta test in fiction.

Wired: So you just wrapped up your book tour. Do you have any funny stories from the tour that you want to share?

Doctorow: I’m trying to think of any particularly funny stories. I mean, I’ve had funny road stories before. I got interviewed once when I was on tour with For the Win. I was in San Francisco, and I had an interview scheduled at 5 a.m. with a British newspaper. My friend Aleks Krotoski was writing for the Independent in London — and obviously 5 a.m. on the West Coast is a reasonable hour in London. I’d had room service bring up breakfast, and I had to get dressed while I was talking to her, because I had to get out of the hotel right after we were done and go to the airport, and so I answered her Skype call sitting down at my desk — still not dressed — and she said, “You’re naked.” And I went, “Shit! The camera is on.”

I was at the desk, so you just saw sort of halfway up my chest and up. It wasn’t anything that you wouldn’t see on a beach, certainly, and it wasn’t anything particularly embarrassing, except that I’d answered the video phone naked, essentially. And so I went and turned the camera off. And I kept walking around the room, and getting dressed, and eating my breakfast, and answering her questions, and carrying the laptop around as I did.

And then I was finally dressed, and I’d eaten my breakfast and was finishing up the interview, and I sat down again and put the laptop down again and looked, and the camera light was still on. And I said, “Aleks, has the camera been on the whole time?” And she said, “Yeah, I didn’t want to embarrass you.” And I’m like, “You could have just told me.” [laughs] And again, she’s a very good friend. She’s a good friend of my wife’s. She stayed over at our place. She’s seen me get out of the bathroom with a towel around my waist, and I’m sure she didn’t see anything much ruder than that. But it was a bit embarrassing.

And then the other one was, I did a signing in Austin. And I think it was also on a For the Win tour. And a guy came up, and I said, “So what can I write in your book?” And he said, “Drama hobbit.” And I said, “Drama hobbit?” And he said, “Yeah, drama hobbit.” And I was like, “Really?” And he was like, “Drama hobbit.” And so I drew this “drama hobbit,” a hobbit that was very dramatic — a little guy with a pointy hat and pointy ears and furry feet and a kind of knife, and he had drama lines coming out of him, which in hindsight probably looked a bit like stink lines.

And I handed the book to him and he said, “What’s that?” and I said, “It’s a drama hobbit.” And he said, “No, no, no. Draw Mohammed.” It was “Draw Mohammed Week,” and it was during the Danish cartoon thing. But so I’ve always wanted to do a “Drama Hobbit Week” where everybody draws the most dramatic hobbits they can, but I’ve yet to convince anyone else that it would be a good idea.

Wired: You have a new nonfiction book coming out called Information Doesn’t Want to be Free. You want to tell us about that?

Doctorow: Sure. I mean, my agent has just started to get offers on it — because he just started shopping it — and I haven’t heard much from him because he lives in New Jersey and has no power or water or heat, and has been talking about barbecuing his cats, but as far as I know the sales process is in the offing and the book will be out at some point. It’s a short business book about copyright, and it’s meant to be three sensible things that you can take into your understanding of copyright as you structure your business around the digital age.

The first thing is that if you let someone else put a lock on your file, and if that person doesn’t give you the key, that lock can’t be there for your benefit. That lock will eventually be used against you. And so, for example, Apple and Audible won’t allow you to sell audiobooks without their DRM on it — without their digital lock on it. And because it’s illegal to remove a digital lock, what that’s really doing is tying all of your customers, as someone who makes audiobooks, to their platform.

And so if later on someone has a better platform, what you are doing is guessing or hoping or betting that all the people who have ever bought your audiobooks in the old platform follow you to the new one, even though it means maintaining two separate library management tools, or else throwing away all their old audiobooks, including the ones you sold them. So as someone who invests in making this media, if you’re a publisher or studio or a newspaper or a record label, you really need to focus on making sure that you’re not handing control over your business to a company who doesn’t really contribute to the business; they just put locks on it.

The next piece of advice is that although fame won’t make you rich, you can’t get rich in the arts without fame. On the one hand there are lots of people whose works have been widely downloaded and who didn’t make any money from it, but all the people who made money in the arts made money by being widely known to their audiences. And the internet allows us to have all kinds of paths to have our work discovered and shared among audiences, and promoted within those audiences. It’s still up to us to figure out how to turn that into money, but without the fame you don’t even have the opportunity to do that.

And the copyright laws that the entertainment industry has been agitating for — particularly the ones that make it more expensive to operate any of these services like Blogger or Google or Facebook or YouTube, because they require that you pay unimaginable armies of lawyers to make sure that nothing uploaded infringes on copyright — that what those end up doing is putting independent distribution and independent audience discovery outside of the reach of individual artists, such that you always have to sign up with a label or a studio or a publisher to get a decent deal, or to reach an audience at all, and that when they control all of the distribution channels and all the audience discovery and audience interaction channels, that they can basically command incredibly abusive terms from the artists that they deal with. And so it’s really in artists’ interests that the intermediaries — the people who sit between us and our audiences — have low barriers to entry, so that they’re continuously being disrupted and there are lots of new businesses entering all the time and vying for our business.

And then the third one is that information doesn’t want to be free but people do, and that when we focus on the question of “information” when we make internet policy, instead of recognizing — as you see in Pirate Cinema — that the internet is really fundamentally about everything that we do in the 21st century — not just how we entertain ourselves — that we end up putting everyone at risk. That designing devices, for example, to prevent copying involves designing devices that hide things from their users. You can’t design a device that when you say, “Copy the file please, HAL,” and it says, “I can’t let you do that, Dave,” you can’t design that device in a way that’s effective if there’s a program called “HAL 9000″ on the desktop that you can just drag into the trash. So it has to be able to hide programs and processes from users.

And once you start doing that, once you start designing devices so that they hide things from their owners, you get into really serious trouble, because the devices that we use, we use them for everything. They’re not just our entertainment tools, they’re how we live our whole lives, and they know lots of things about us. They know where we are, and who we talk to, and where we’ve been. They know all the secrets of our lives, and so we really want to be sure that they’re honest servants and that they’re not hiding things from us and that they’re not disobeying us when we tell them to do things.

Wired: I saw that Amanda Palmer wrote an introduction to the book.

Doctorow: Yeah, and so did Neil Gaiman.

Wired: And recently there was this big brouhaha online about the way that Amanda handled her Kickstarter campaign. What was your take on that?

Doctorow: Yeah, I was on tour when that happened. I have to say that I didn’t really understand the brouhaha, particularly. It seems to me that what she wanted was to allow people in different cities who had bands and who loved her music to come and perform with her, in the same way that sometimes authors who are coming to town will say to their publicist, “You know, there’s this other author who’s not as well known as me but whose work I really admire. Maybe that author would like to interview me on stage?” I’ve done a ton of those gigs, and I’ve done them in the other direction too. And it’s often the case that when an author is brought to town they’re paid for it — or at the very least they’re selling a book — and the author who’s the kind of junior partner in that, they do it not for money, they do it because for them it’s an opportunity to I guess ride on the other author’s coattails a bit, and also it’s a mutual aid situation — “I’ll help you a little and you help me a little.”

I don’t doubt that Amanda could have paid for musicians to go around with her, or could have arranged things so that she didn’t need as many musicians, but I think that what she did she did from a fairly generous impulse. The people who complained about how she was organizing that part of her business weren’t the people who she was nominally exploiting. It wasn’t like there were people who showed up to perform with Amanda Palmer, went backstage afterwards, saw her lying in a bathtub full of hundred-dollar bills, and went, “Oh my god, I’ve been robbed.” They were instead people who, when Amanda announced, “I would like to get some local performers to come up on stage with me so I can promote these people to the audiences that come out to my gigs and so that we can all perform together, we can play together,” those people jumped at the opportunity. They even queued up to audition for that opportunity, competed for the chance to be on stage at an Amanda Palmer gig and to be within the penumbra of her performance.

The thing that’s confusing about the arts is that it’s both a business and a cultural activity, and there are lots of things that we do in the arts that are not economically rational. I have neglected my own work — rather a lot, in fact — to do things like read young writers’ books so that I could write reviews and blurbs for them, sometimes dropping everything to get a blurb in on time for an author that I really believed in. I didn’t have any rational expectation of making money from that, and the author who asked me was going to make money directly as a result — or at least believed that they would make money directly as a result — of my writing the blurb.

The reason I did that was not a commercial reason. The reason I did it was a cultural reason. It’s because the arts consist of a cultural conversation as well as a series of economic transactions, and those can’t be interrogated according to the same criteria. That’s not to say that you can’t do the wrong thing in a cultural context, but something that might seem wrong or exploitative in an economic context in many cases I think looks great and right in a cultural context.

Wired: Another new book you have that came out recently is Rapture of the Nerds, which is an adult s/f novel you wrote with Charles Stross.

Doctorow: Yeah, Charlie and I took about seven years writing that one. It started as a pair of novellas, the first one published on SciFi.com and the second one published in Infinite Matrix, and also in Lou Anders’ short-lived novella zine Argosy. The first one was called “Jury Service” and the second “Appeals Court,” and they’re books about the Singularity, but they’re books about what happens to the people left behind after the Singularity.

They’re kind of the inverse of the Left Behind novels about the Rapture — there are these fundamentalist Christian religious adventure novels called the Left Behind series that are tremendous bestsellers, and they’re about the lives of the sinners who are left behind on Earth after the final trumpet blows and all the godly people are sucked up to heaven, leaving nothing behind but the godless. Except in our story, all of the people who are rational and godless and secular and technophilic get sucked up into “the Cloud.” Their brains get uploaded to a giant computer literally in the sky — the bones of the solar system have been taken apart and reassembled into a huge Dyson sphere around the sun, with only one hole in it that tracks the Earth like a lighthouse beam.

And the people who are left behind are people who, because of religious conviction or because of suspicion of technology, refuse to send their brains up to the Cloud. It’s a kind of comic adventure about one of those people, a guy named Huw, who’s a Welsh potter and technology hater, who is delighted to find himself chosen for jury service to evaluate a new technology that’s been sent down from the Cloud — from the posthuman intelligence, the Cloud — to Earth, and that some people have actually assembled, and he gets to help choose whether or not that technology will be allowed.

And from there things get very funny and very weird and very madcap. He’s a kind of Rincewind figure who runs all around the world and gets entangled in all these conspiracies. So the first two novellas were really well received, and Tor asked us if we would be interested in adapting them to a novel. So we wrote a third novella that’s longer than the first two put together, and then did a complete rewrite of all of them to make them fit into one book. And that’s Rapture of the Nerds. It came out in September, and did very well, I think.

Wired: I’ve heard you say that this book kind of charts your change in perspective from being very optimistic about the Singularity to being more skeptical. What’s happened that’s made you change your mind about that?

Doctorow: I guess it has to do with my feelings about where my identity is — who I am and whether or not I would still be me if I were inside a computer. Those feelings have changed over time as, for example, I’ve grown older and had to ask questions like, “Am I still me now? Am I still the me that I was 10 years ago?” And also as I’ve watched my daughter grow up. All of those experiences have changed my sense of the extent to which the lived experience of a conscious human being can be successfully simulated in silicon, and whether or not, having been transitioned to silicon, you would still be recognizable as you, or whether something important will have been lost — not a soul, but rather some element that informs your cognition or your sense of self that is in some way inherently embodied.

Wired: You also have a story that you’re doing for Neal Stephenson‘s Hieroglyph project.

Doctorow: Yeah, I really need to get working on that one. I’m working on a story about “burners” — people who go to Burning Man — who experiment with a 3-D printer that they can leave on the playa — on the gypsum desert — that harvests gypsum dust and turns it into a yurt over the couple of months that it takes for Burning Man to start, using solar energy. And so this autonomous, habitat-building, 3-D printer robot gives them the idea of building one that can print out using lunar regolith — moon dust. And they land a lunar printer on the moon using private space exploration vehicles, and they direct its operations from a ground-based wiki that can bounce new messages to it — new firmware to it or new instructions to it — using ham radios that bounce signals off the moon. And over the course of a generation they direct its operations to build a lunar habitat that their grandchildren can move into.

Wired: Are there any other new or upcoming projects you’d like to mention?

Doctorow: Well, Homeland is the sequel to Little Brother, and that’ll be out in February. I’ll be on tour with that as well, for three to four weeks, I think, and mostly on the West Coast, in the Southwest, and the South. Those people who have followed my tour this time around will know that I’ve stuck to the Northeast a lot. I actually got the last plane out of Boston before the hurricane hit, and my publicist and publisher have said, “We’re going to try to keep you in warm places that are unlikely to have extreme weather events during the next tour.” Because the last thing you want to do when you’re on these tightly scheduled tours is get snowed in. So if you live in the South, or the Southwest, or the West Coast, keep watching this space.
http://www.wired.com/underwire/2012/...-doctorow/all/

















Until next week,

- js.



















Current Week In Review





Recent WiRs -

November 10th, November 3rd, October 27th, October 20th

Jack Spratts' Week In Review is published every Friday. Submit letters, articles, press releases, comments, questions etc. in plain text English to jackspratts (at) lycos (dot) com. Submission deadlines are Thursdays @ 1400 UTC. Please include contact info. The right to publish all remarks is reserved.


"The First Amendment rests on the assumption that the widest possible dissemination of information from diverse and antagonistic sources is essential to the welfare of the public." - Hugo Black