Harry R. Lewis, The Internet and Hieronymus Bosch: Fear, Protection, and Liberty in Cyberspace, pages 57--90 in The *Harvard Sampler: Liberal Education for the Twenty-First Century*, edited by Jennifer M. Shephard, Stephen M. Kosslyn, and Evelynn M. Hammonds, Harvard University Press, Cambridge Massachusetts, 2011. This is a truly remarkable essay, and well worth reading—even if you think you know all about the risks. Harry's content comprehensively spans many of those risks relating to the Internet that we have discussed here in the past, and addresses some of the bigger-picture issues. It is highly relevant to all RISKS readers. It is also easily readable by folks with somewhat less technical expertise than our RISKS readers. (Actually, the entire book is itself full of thoughtfully provocative chapters.) Harry has generously posted the page proofs of his chapter online (albeit minus the Bosch artwork). The text is linked as item #49 on this website page: http://lewis.seas.harvard.edu/pages/publications-technical-articles-theses-and-reports The middle panel from the Bosch triptych is at http;//harry-lewis.blogspot.com/2011/10/garden-of-earthly-delight.html Harry remarks in his end note to his book chapter: This chapter is based on the spring 2009 final lecture of Harry's Harvard course, “Quantitative Reasoning 48: Bits.'' His book with Hal Abelson and Ken Ledeen, Blown to Bits: Your Life, Liberty, and Happiness after the Digital Explosion (Addison-Wesley Professional, Reading, Mass., 2008), is based on the course material and can be downloaded at http://www.bitsbook.com/thebook/. It includes many of the particulars of the course not elaborated in this essay.
Rowena Mason, *The Guardian*, 25 Jul 2014 (via Dave Farber) Jimmy Wales says Google should not be 'censoring history' after web search company reveals it has approved half of requests http://www.theguardian.com/technology/2014/jul/25/right-to-be-forgotten-google-wikipedia-jimmy-wales Internet search engines such as Google should not be left in charge of "censoring history", the Wikipedia founder has said, after the US firm revealed it had approved half of more than 90,000 "right to be forgotten" requests. Jimmy Wales said it was dangerous to have companies decide what should and should not be allowed to appear on the Internet. His comments came after the bosses of the leading search engines met the heads of European data watchdogs on Thursday. Google has been at the centre of a censorship row since the European courts ruled that people should have the right to request that "irrelevant" personal information about them is removed from search results. Since May, the firm has received 90,000 requests for links to be removed, relating to more than 300,000 pages. More than half of these requests have been approved, it told European data watchdogs. The authorities have been concerned that the Google has been notifying the owners of pages that are delisted, which led in one case to a person being written about again by the Wall Street Journal. Google initially made it known that a paedophile, politician and doctor were among the initial removal requests, but has since acknowledged there are some more compelling claims. Wales's position was backed by Rohan Silva, a tech entrepreneur and former adviser to David Cameron, who tweeted that it was "good to hear (Wales) fighting the good fight against Internet censorship". But the Labour MEP Claude Moraes accused Google of failing to implement the EU ruling properly. He also said the firm was not mentioning the fact that data supervisory authorities were the final arbiters in disputed cases and it was not junior staff making decisions on such issues. Christopher Graham, the UK information commissioner, said some of Google's concerns were overblown. [...[
Vice via NNSquad http://motherboard.vice.com/read/the-fliers-full-of-lies-comcast-used-to-kill-off-a-local-internet-competitor In the months and weeks leading up to the vote, the two companies bombarded residents and city council members with disinformation, exaggerations, and outright lies to ensure the measure failed. It did, narrowly, twice: In April 2003 and November 2004. Before the ISPs' disinformation campaigns, support for the project was up over 72 percent. The series of two-sided postcards painted municipal broadband as a foolhardy endeavor unfit for adults, responsible people, and perhaps as not something a smart woman would do. Municipal fiber was a gamble, a high-wire act, a game, something as "SCARY" as a ghost. Why build a municipal fiber network, one asked, when "Internet service [is] already offered by two respectable private businesses?" In the corner, in tiny print, each postcard said "paid for by SBC" or "paid for by Comcast."
I managed to get my hands on some detailed reports from the local speed camera systems. I thought I might find some issues but was amazed at the level of programming incompetence on display. The reports have many times where the system reports that more than 100% of the cars passing a camera are speeding and, at totally different times, that more than 100% of those speeding exceeded the speed limit by more than 12 MPH. The system attempts to divide by zero getting printed results like 1,000,000, (it ends with a comma). There are more problems; these are just among the most blatant. Not surprisingly, the local council members see nothing amiss with such results because, as we all know, camera systems are perfect! I sent the data and my analysis to the Baltimore Sun—which, if no one changes their mind, is planning a story. Obviously, we expect the camera vendor to claim that the errors in the reporting software are atypical; the system never issues an erroneous ticket because much more care is taken with important system processes. Given SEI work and ISO 9000, I expected it would be easy to find expect opinions on the validity of such a claim, written at a level that would be appropriate for a newspaper audience, but have not had much luck. I was going to look around the SRI site, when it occurred to me that writing you might result in acquiring multiple useful bits of information with one e-mail. Anyway, if you know of good sources for the above information, I'd much appreciate pointers - the more the better. [Some readers of RISKS should be sympathetic, perhaps having been erroneously dinged by these automated camera systems. Moreover, many of you are inured to the lack of good software engineering in operating systems, embedded systems, and applications such as infrastructure systems, computer-aided elections, and so on. So it should come as no surprise that some of the camera-driven automatic ticket-writer systems are much less than perfect. PGN]
FYI—Steven Bellovin, Matt Blaze, Sandy Clark and Susan Landau have come up with perhaps the worst idea ever suggested by bright computer scientists: provide legal authorization for every law enforcement agency to conduct black-hat operations on every American, and indeed, on every person on the planet. https://www.cs.columbia.edu/~smb/papers/GoingBright.pdf (11 pages) http://scholarlycommons.law.northwestern.edu/cgi/viewcontent.cgi?article=1209&context=njtip (68 pages) Of course, that isn't what the language of their papers actually says, but that will be the result. Every person on the planet will become a target in the Internet "free fire" zone, with the hackers now having full access to the power and privileges of a nation state. In addition to brushing aside the First, Third, Fourth and Fifth Amendments to the Constitution, making the Internet into a free fire zone will reduce it to a smoldering ruin, thereby rendering it unusable EXCEPT by criminals and "law enforcement" professionals on phishing expeditions. I'm sorry if the Internet is "going dark" for the FBI; for this you can blame the overzealousness of their brethren at the NSA and the craven greed of the advertising and social networking companies. Virtually every computer professional in the world not working at one of these agencies or companies is now pledged to making the Internet "go dark" as soon and as dark as possible—not for the benefit of criminals and terrorists, but for the benefit of the 99% of us who are not involved in crime and terror. Like the people in crime-ridden neighborhoods who "take back their streets", we computer scientists are "taking back our Internet". We in the U.S. have just completed one of the largest case studies of what happens when every individual in an industry has all of its e-mail and financial records available to regulators. The Securities and Exchange Commission (SEC) already requires every person in the financial industry to make every e-mail, cellphone text and financial record available to the SEC in order to enforce insider trading and other financial rules. The result: NADA! NOTHING! With thousands of bankers involved in fraud on the U.S. taxpayer running into the trillions of dollars, _not one has been prosecuted; not one has gone to jail_. If this level of surveillance of the financial community has produced zero convictions in the largest ripoff of tax dollars in history, there is no reason to expect that any increased level of surveillance of non-financial citizens will produce any better results. If the Internet goes dark to the FBI and the NSA, so be it; the alternative existential threat to freedom is far, far worse. As Dietrich Bonhoeffer, German Lutheran theologian, famously noted: “First they came for the Communists, but I was not a Communist so I did not speak out. Then they came for the Socialists and the Trade Unionists, but I was neither, so I did not speak out. Then they came for the Jews, but I was not a Jew so I did not speak out. And when they came for me, there was no one left to speak out for me.” https://www.cs.columbia.edu/~smb/papers/GoingBright.pdf http://www.washingtonpost.com/blogs/the-switch/wp/2014/07/25/the-government-wants-to-wiretap-social-media-or-even-hack-it/ The government wants to wiretap online communications — or in some cases hack them By Ellen Nakashima July 25 Follow @nakashimae Law enforcement and intelligence agencies want to be able to wiretap social media, instant message and chat services. But building in ways to wiretap these kinds of communication can lead to less secure systems, say technical experts, including former National Security Agency officials. Some security experts suggest hacking as an alternative, but other experts -- including FBI officials—say that method poses serious risks. Right now, only phone companies, broadband providers and some Internet phone services are required by law to build in intercept capabilities, but the government wants to extend that requirement to online communication providers. “From a purely technical perspective, when you add this sort of law enforcement access feature to a system, you weaken it,'' said Steven M. Bellovin, a computer science professor at Columbia University. “First, it creates an access point that previously didn't exist. Second, you've added complexity to the system ... and most security problems are due to buggy code.'' In 1994, the government passed the Communications Assistance for Law Enforcement Act, which mandated that phone companies make their systems wiretap-ready. Richard `Dickie' George, a former NSA technical director until he retired in September 2011, recalled how in the mid-1990s, “in the early days of CALEA,'' the NSA tested several commercial phone systems with intercept capabilities and “we found problems in every one.'' Making the systems hack-proof, he said, “is really, really hard.'' He said, however, that over the years, “We've come a long way.'' Susan Landau, a faculty member in the Worcester Polytechnic Institute Department of Social Science and Policy Studies in Massachusetts, said that phone services are more complicated now—and so the switches are, too. “It's highly doubtful the new switches are secure.'' The United States, she said, “has a lot more to lose by building ways into communications networks than it has to gain, because those ways last for a very long time, and we enable others who couldn't afford to build [backdoors] in themselves with ways to get into our communications systems.'' One alternative to wiretaps is to hack the target's phone or computer, Bellovin and Landau said. In so doing, the FBI would be exploiting software flaws that already exist instead of creating new ones, Landau said. And the FBI would be getting communications before they are encrypted or after they are decrypted, Bellovin said. Landau: “They have to be very careful that they don't create a risk that the exploit will proliferate elsewhere. That's why we argue for increasing the funding for research.'' Marcus Thomas, a former FBI official who ran the bureau's Operational Technology Division, said hacking is “unreliable and dangerous because hacks can propagate.'' Some tech-savvy privacy advocates say that the government sees the use of malware as one among a number of options, along with weakening the security of commercial software and forcing companies to allow the installation of malware delivery devices on their networks. “The government wants a selection of tools, not just one,'' said American Civil Liberties Union principal technologist Christopher Soghoian. Forcing companies to put malware on a suspect's cellphone, say by using security update features for mobile users, may lead “privacy aware'' consumers to turn off automatic security updates, Soghoian said. “We don't want to give consumers any reason to not update their software.'' n He added that “by blessing the malware approach, Landau et al. ... are giving DOJ political cover'' to use malware. The FBI has in fact applied for search warrants to use the technique in several recent criminal cases. But FBI officials said in an interview that hacking is not commonly used on the criminal side of the Justice Department. "It is rare in law enforcement investigations," said Amy S. Hess, executive assistant director of the FBI's Science and Technology Branch. She did not comment on how often it might be used in intelligence investigations. She said the capability is “very fragile.'' It changes, “minute by minute, hour by hour, day to day, as to whether or not you're able to stay up on that particular device just because of the changing nature of technology.'' Moreover, she said, “a lot of bad guys trade off devices. So how valuable will it be if you have to keep doing that type of procedure over and over again?'' She noted it is also at “much higher risk'' of detection if it is disclosed in a criminal case. On Thursday, Scott Charney, Microsoft vice president of trustworthy computing, said that the government has never asked the company to change its code or alter its products to give it access to Skype, which is owned by Microsoft. “If they said ... put in a backdoor, we would fight it all the way to the Supreme Court,'' he said during a panel session at the Aspen Security Forum. “If the government did that, and I really don't think they would, it would be at the complete expense of American competitiveness, because if we put in a backdoor for the U.S. government, we couldn't sell anywhere in the world. Not even in America.''
Brian Hayes, Topics, 22 Jul 2014, via ACM TechNews, 25 Jul 2014 Researchers at Harvard University's School of Engineering and Applied Sciences (SEAS) are focused on developing the hardware and software for exascale computers, while others are planning to apply exascale computing resources to diverse scientific fields once they become available. An exascale computer would perform at least 1018 operations per second, and a key challenge in realizing exascale systems is minimizing their electricity consumption. A SEAS research team investigating this issue found many design parameters must be optimized simultaneously rather than individually, while another researcher emphasizes improving the design of individual transistors and the materials from which they are manufactured. Exascale systems likely will have to make do with less memory per processing core, unless new memory devices can be created. SEAS dean Cherry Murray expects heterogeneous computer architectures to dominate scientific computing in the coming years, using specialized subsystems optimized for different classes of algorithms. Also under consideration are systems specialized for one specific operation. Indeed, Institute for Applied Computational Science director Hanspeter Pfister sees a basic rethink of programming models as essential to an exascale transition. "We're beyond the human capacity for allocating and optimizing resources," he says. Pfister suggests shifting some concurrent computation onto hardware, while creating a new level of abstraction to spare coders from micromanaging parallel processes. http://orange.hosting.lsoft.com/trk/click?ref=3Dznwrbbrs9_5-c3b0x2b7a6x060949& [Let's hope that at least some of the research pays attention to trustworthiness of some of the critical aspects of reliability, security, mathematical correctness, and so on. Other than a few folks such as Les Lamport, very little effort has been devoted to such issues. And I don't think I am EXAggerating. PGN]
Woody Leonhard | InfoWorld, 28 Jul 2014 Microsoft took 12 days to fix a bug that locked out some Office 365 ProPlus customers after a silent patch automatically installed http://www.infoworld.com/t/office-software/another-botched-microsoft-patch-office-365-proplus-says-something-went-wrong-247077
Sharecast via NNSquad http://www.sharecast.com/news/spain-s-google-tax-could-kill-facebook-and-twitter/21898804.html "Spanish Congress has passed a law, known as the "Google tax", that could result in the use of Facebook and Twitter being outlawed in the country. Specifically, Madrid passed a reform to the Spanish Intellectual Property Law (LPI) that grants the Spanish News Publishers Association (AEDE) the "inalienable right" to charge a fee for anyone that adds their content. Experts have begun to analyse the new regulation to see what effect it will have on social networks where users reproduce content with links to the original source." - - - Spain certainly seems to be leading the way in the EU's thrust to try wreck Internet free speech. It won't succeed, but there will be a lot of damage along the way.
Serdar Yegulalp | InfoWorld, 25 Jul 2014 Latest patch set for Oracle's database automatically enables in-memory processing—a feature for which Oracle charges extra. http://www.infoworld.com/t/software-licensing/oracles-new-database-patch-could-cost-you-23000-processor-247035 selected text: According to *The Register*, the latest patch set for Oracle Database 12 includes an upgrade to Oracle's loudly trumpeted in-memory database technology, the company's implementation of a database-acceleration feature now being put to use by Microsoft and many other competitors. Oracle's in-memory processing isn't free, though. And enabling it will cost you $23,000 per processor. What's more, according to analysis by EMC's Kevin Closson, the in-memory features appear to be turned on by default by the patches. The upshot is that anyone who applies the latest patches and isn't conscientious enough to determine whether they really need (or can afford) the in-memory features could find themselves in the hole for at least five figures next time a license audit comes up.
Caroline Craig | InfoWorld, 25 Jul 2014 House approves legislation prohibiting the FCC from aiding local communities eager to set up high-speed broadband services http://www.infoworld.com/t/internet/broadband-bullies-cable-companies-lawmakers-gang-local-providers-246976
Lucian Constantin, InfoWorld, 24 Jul 2014 Hackers are actively exploiting a vulnerability found recently in the MailPoet Newsletters plug-in for WordPress http://www.infoworld.com/d/security/thousands-of-sites-compromised-through-wordpress-plug-in-vulnerability-246960 opening text: A critical vulnerability found recently in a popular newsletter plug-in for WordPress is actively being targeted by hackers and was used to compromise an estimated 50,000 sites so far.
> Apparently the insurance industry and the utility folks are beginning to > look at the security issues around "smart grids", and realizing the > risks..... Reading the article, it seems more like the insurance industry is looking at "smart grids" and detecting an opportunity! The first sentence of one of the linked Insurance Journal articles is "Energy companies have no insurance against major cyber attacks, reinsurance broker Willis said".
> http://www.smartgridnews.com/artman/publish/Technologies_Metering/Smart-meters-are-a-time-bomb-for-utilities-warns-insurance-expert-6652.html I hope that readers of this item took the time to go read the original posting (link above), since there the comments take the writer, Mr Berst, severely to task for conflating cyber attacks with some plain old corruption by insiders and colluding meter manufacturers. It's always a good idea to read to the bottom.
> Apparently the insurance industry and the utility folks are beginning to > look at the security issues around "smart grids", and realizing the > risks..... Reading the article, it seems more like the insurance industry is looking at "smart grids" and detecting an opportunity! The first sentence of one of the linked Insurance Journal articles is "Energy companies have no insurance against major cyber attacks, reinsurance broker Willis said."
Dog's sense of smell is said to be somewhere between 10,000 and 100,000 times better than humans. So yes, they can probably distinguish different types of electronic devices by smell. But I'm fairly certain that pirated bits don't smell any different than regular bits. John C. Rivard, User Experience 248-971-0JCR Voice/SMS text (248-971-0527)
I don't see a legal problem here. Search warrants typically specify particular items being sought. For example, a warrant might state that it is looking for "documents or electronic devices containing evidence of violations of securities law." [Disclaimer: I made that up; I don't think I've read an actual warrant in my life.] The dog's job is to locate USB drives and other electronics such as hard drives. The warrant will have been written to cover whatever storage medium the cops think are likely, and they'll have the right to seize whatever they find. Their problem is finding the stuff, since the guilty party [assuming guilt for the sake of argument] may have hidden it. Once the dog locates the USB drive, it's up to the police to decide whether to seize it. This is no different from finding it in a desk drawer. The dog's job isn't to decide what's contraband, it's to help the police locate it efficiently. Geoff Kuenning firstname.lastname@example.org http://www.cs.hmc.edu/~geoff/
Geoff: I'm no lawyer, either, nor do I play one. I do try to grasp some basic legal principles in hope of better navigating the minefield created by the ever expanding State. My understanding is that a 4A compliant warrant is required to be relatively specific in terms of the evidence sought per a specific crime or crimes. The point is to prevent evidentiary "fishing expeditions". To me, grabbing all electronic storage devices in a home or office indiscriminately in search of content that is evidence of a particular crime is analogous to hauling off every file cabinet and piece of paper in that same setting would have been in 1981. (I know that was done in investigations like Enron, but in that example, there was a strong probability that all such documents were within the scope of examining financial dealings for criminal behavior). I think that meets the plain language definition of "unreasonable". To narrow my statement, if police seize an excessive breadth of electronic storage devices under a search warrant for child pornography and find evidence of same, I expect that evidence and subsequent conviction would hold up in court (all else equal). However, if that same search yielded evidence of, say, wire fraud, and a charge was levied and a conviction obtained on that basis, I would expect that evidence (and possibly the conviction) to be thrown out on appeal. I remain skeptical that a dog can by smell discriminate at all narrowly between differing types of microelectronics.
Please report problems with the web pages to the maintainer