Slashdot Mirror

NewYorkCountryLawyer writes "The RIAA's claim that personalized internet radio stations were 'interactive services' was flatly rejected 'as a matter of law' by the US Court of Appeals for the Second Circuit, in Arista Records v. Launch Media. In affirming the jury's verdict in favor of the defendant, Launch Media — acquired during the lawsuit by Yahoo! — the Court said it did not even need to concern itself with possible errors in the jury instructions, since the trial judge should have directed a verdict for defendant 'as a matter of law' on the question of whether the radio stations were 'interactive services.' At pages 23-42 of its 42-page opinion (PDF), the appeals court carefully analyzed how Launch Media's personalized internet radio stations worked, and noted that the users could neither obtain and play on demand a particular song, nor obtain the transmission of a particular program, thus rendering the RIAA's claim of 'interactivity' meritless."

NewYorkCountryLawyer writes "The RIAA's claim that personalized internet radio stations were 'interactive services' was flatly rejected 'as a matter of law' by the US Court of Appeals for the Second Circuit, in Arista Records v. Launch Media. In affirming the jury's verdict in favor of the defendant, Launch Media — acquired during the lawsuit by Yahoo! — the Court said it did not even need to concern itself with possible errors in the jury instructions, since the trial judge should have directed a verdict for defendant 'as a matter of law' on the question of whether the radio stations were 'interactive services.' At pages 23-42 of its 42-page opinion (PDF), the appeals court carefully analyzed how Launch Media's personalized internet radio stations worked, and noted that the users could neither obtain and play on demand a particular song, nor obtain the transmission of a particular program, thus rendering the RIAA's claim of 'interactivity' meritless."

Hugh Pickens writes "The Business Software Alliance (BSA) is a trade group established in 1988 representing a number of the world's largest software makers whose principal activity is trying to stop copyright infringement of software produced by its members, performing roughly the same function for the software industry that the RIAA performs for the music industry. Yet, as Bill Patry, author of a 7-volume treatise on US copyright law and currently Senior Copyright Counsel at Google, notes on his blog the BSA is a 'far less unpopular organization' than the RIAA because there are three key differences between the BSA's campaigns and the RIAA's. First, BSA's members have always offered their products for sale to the public, through any channel that wants to sell them. Second, BSA's members are consumer-oriented; they try to develop products that respond to consumers' needs, and not, the reverse: focusing on what they want to sell to consumers. Third, because consumers can easily purchase BSA's members products, those who copy without paying are simply scofflaws. 'I think the fact that the public does not object to BSA's campaign proves my point [that]... people do not want things for free; they are willing to pay for them,' writes Patry. 'It should not be surprising that when consumers are not treated with respect, they react negatively. That's something the software industry learned long ago, and that's why people don't object to the BSA's enforcement campaign.'"

retroworks writes "Greenercomputing.com staff covered a study which sheds more light on the controversial practice of exporting used computer equipment overseas. University of Arizona professors Ramzy Kahhat and Eric Williams newly published research, Product or Waste? Importation and End-of-Life Processing of Computers in Peru apparently confirms what WR3A.org says in the Video 'Fair Trade Recycling'. Namely, that most of the exports of used computers imported by buyers overseas (88%) are really for reuse and repair. Otherwise, people would not pay to import them. This bolsters pro-export arguments made in a scholarly article by Charles Schmidt of NIH in 2006. Perhaps what is needed to stem e-waste pollution is not a ban on exports, but for more people to export, so that buyers have more choice of (ethical) suppliers. Put another way: If used computer exports are outlawed, only outlaws will export used computers."

Kris Thalamus writes "The Washington Post reports that a Virginia woman is being held in custody by police who allege that information she posted on her blog puts members of the Jefferson area drug enforcement task force at risk. 'In a nearly year-long barrage of blog posts, she published snapshots she took in public of many or most of the task force's officers; detailed their comings and goings by following them in her car; mused about their habits and looks; hinted that she may have had a personal relationship with one of them; and, in one instance, reported that she had tipped off a local newspaper about their movements. Predictably, this annoyed law enforcement officials, who, it's fair to guess, comprised much of her readership before her arrest. But what seems to have sent them over the edge — and skewed their judgment — is Ms. Strom's decision to post the name and address of one of the officers with a street-view photo of his house. All this information was publicly available, including the photograph, which Ms. Strom gleaned from municipal records.'"

Dan Lorenc writes "Using the StackOverflow.com data dump, I measured the activity of various programming languages throughout the week. The results: Ruby and Python saw a rise in questions asked on the weekend while C# and Java saw a dropoff in activity on the weekend. This means that more programmers are using Python and Ruby on the weekend for their personal projects, showing that these languages are more fun to use. Show this experiment to your boss the next time you are selecting a programming language for a project at work."

Reservoir Hill writes "The Guardian reports that a study by Ed H Chi demonstrates that the character of Wikipedia has changed significantly since Wikipedia's first burst of activity between 2004 and 2007. While the encyclopedia is still growing overall, the number of articles being added has reduced from an average of 2,200 a day in July 2007 to around 1,300 today while at the same time, the base of highly active editors has remained more or less static. Chi's team discovered that the way the site operates had changed significantly from the early days, when it ran an open-door policy that allowed in anyone with the time and energy to dedicate to the project. Today, they discovered, a stable group of high-level editors has become increasingly responsible for controlling the encyclopedia, while casual contributors and editors are falling away. 'We found that if you were an elite editor, the chance of your edit being reverted was something in the order of 1% — and that's been very consistent over time from around 2003 or 2004,' says Chi. 'For editors that make between two and nine edits a month, the percentage of their edits being reverted had gone from 5% in 2004 all the way up to about 15% by October 2008. And the 'onesies' — people who only make one edit a month — their edits are now being reverted at a 25% rate.' While Chi points out that this does not necessarily imply causation, he suggests it is concrete evidence to back up what many people have been saying: that it is increasingly difficult to enjoy contributing to Wikipedia unless you are part of the site's inner core of editors. Wikipedia's growth pattern suggests that it is becoming like a community where resources have started to run out. 'As you run out of food, people start competing for that food, and that results in a slowdown in population growth and means that the stronger, more well-adapted part of the population starts to have more power.'"

olddotter points out a story up at Yahoo Tech on companies' decisions to distance themselves from the GPL. "Before deciding to pull away from GPL, Haynie says Appcelerator surveyed some two dozen software vendors working within the same general market space. To his surprise, Haynie saw that only one was using a GPL variant. 'Everybody else, hands down, was MIT, Apache, or New BSD,' he says. 'The proponents of GPL like to tell people that the world only needs one open source license, and I think that's actually, frankly, just a flat-out dumb position,' says Mike Milinkovich, executive director of the Eclipse Foundation, one of the many organizations now offering an open source license with more generous commercial terms than GPL."

Google has announced a "developer preview" of a new search infrastructure, though one wouldn't have to be a developer to try it out. Google is asking for feedback on how the search results in the new regime stack up against the old. Matt Cutts has posted a mini FAQ. Some early testing indicates that the new search may be faster in some cases, and return more relevant results, than the old one. Those who attempt to game Google search for a living will be scrambling henceforth. Has anyone identified the new crawler bot in log files?

dcollins writes "The college where I work has decided to forego ordering a textbook for the computer class that I teach this fall. Does anyone know of a free, open-source textbook for basic computer literacy concepts (overview of hardware, software, operating systems, and file systems)?"

Blake writes "A group called Waterloo Labs rigged up a few accelerometers to a large wall and projected a first-person shooter onto it. Using some math, they can triangulate the position of impacts on the wall, so naturally they found someone with a gun and bought a large case of ammunition. Even cooler, this group usually posts a 'how we did it' video a few weeks after a project's debut, including source code."

adeelarshad82 writes "Google developers are always working on and updating Chrome in three channels — Stable, Beta, and Developer — in increasing positions on the bleeding-edge scale. Today the company thought changes to the Beta channel warranted a post on the main Google Blog. The advances range from the superficial addition of themes for customizing the browser's window borders to even faster speed under the hood to internal support for HTML 5 tags such as <video> and 'web workers,' which allows the browser to divvy processing work among sub-threads."

Jos Poortvliet writes "After another 6 months of hard work by over 700 people, after fixing over 10,000 bugs and granting 2,000 wishes, KDE 4.3, or 'Caizen,' is here (the release takes its nickname from the Japanese philosophy of continuous improvement). The KDE Desktop Workspace introduces, besides the usual stability and speed improvements, new widgets, the ability to 'peek' in a folder with folderview, and activities tied to virtual desktops. The KDE Application Suites feature improvements in the utilities like a more formats supported in Ark and the return of the Linux Infrared Remote Control system. Instant messenger Kopete introduces an improved contact list and KOrganizer can sync with Google Calendar. Kmail supports inserting inline images into email and the Alarm notifier has gained export functionality, drag and drop, and has an improved configuration. The KDE Application Development platform has seen work on integrating the Social Desktop and the new system tray protocol from Freedesktop.org. You can watch a screencast of the Desktop Workspace here."

Glyn Moody writes "Microsoft is at it again: trying to redefine what 'open' means. This time it wants open standards to be 'balanced' — for them to include patent-encumbered technologies under RAND (reasonable and non-discriminatory) terms. Which just happens to be incompatible with free software licensed under the GNU GPL."

An anonymous reader writes "With the deadline for a Supreme Court appeal rapidly approaching, the students who sued TurnItIn.com for issues surrounding copyright infringement reached a settlement with the site's company on Friday. Now the search goes out for any student who has a paper which is being held by TurnItIn that they did not upload themselves. If your teacher uploaded a paper and ran a TurnItIn report without your permission, I bet the students' attorney would like to hear from you."

NewYorkCountryLawyer writes "Just when you think this case couldn't get any stranger, it now appears that the defendant's 'legal team' in SONY BMG Music Entertainment v. Tenenbaum is passing the hat, taking up a collection. Only the reason for the collection isn't to defray costs and expenses of further defending the action, but to pay the RIAA the amount of the judgment so that their client won't have to declare bankruptcy. I would suggest there might have been a much better way of avoiding bankruptcy. It's called 'handling the case competently.'"

NewYorkCountryLawyer writes "Just when you think this case couldn't get any stranger, it now appears that the defendant's 'legal team' in SONY BMG Music Entertainment v. Tenenbaum is passing the hat, taking up a collection. Only the reason for the collection isn't to defray costs and expenses of further defending the action, but to pay the RIAA the amount of the judgment so that their client won't have to declare bankruptcy. I would suggest there might have been a much better way of avoiding bankruptcy. It's called 'handling the case competently.'"

mattOzan writes with this excerpt from H-online: "At Black Hat USA 2009, Austrian IT security specialist Peter Kleissner presented a bootkit called Stoned which is capable of bypassing the TrueCrypt partition and system encryption. The bootkit uses a 'double forward' to redirect I/O interrupt 13h, which allows it to insert itself between the Windows calls and TrueCrypt."

Peter writes "Toyota researchers have unveiled a new humanoid robot that can run at 7 km/h, which is faster than Honda's humanoid robot ASIMO. Toyota's robot can also keep itself balanced when pushed, as shown in the video."

NewYorkCountryLawyer writes "The jury awarded the record company plaintiffs $675,000 in the Boston trial defended by Prof. Charles Nesson, SONY BMG Music Entertainment v. Tenenbaum. I was not surprised, since exactly none of the central issues ever even came up in this trial. The judge had instructed the jurors that Mr. Tenenbaum was liable, and that their only task was to come up with a verdict that was more than $22,500 and less than $4.5 million. According to the judge, her reason for doing so was that, when on the stand, the defendant was asked if he admitted liability, and he said 'yes.' The lawyers among you will know that that was a totally improper question, and that the Court should not have even allowed it, much less based her holding upon the answer to it."

NewYorkCountryLawyer writes "The jury awarded the record company plaintiffs $675,000 in the Boston trial defended by Prof. Charles Nesson, SONY BMG Music Entertainment v. Tenenbaum. I was not surprised, since exactly none of the central issues ever even came up in this trial. The judge had instructed the jurors that Mr. Tenenbaum was liable, and that their only task was to come up with a verdict that was more than $22,500 and less than $4.5 million. According to the judge, her reason for doing so was that, when on the stand, the defendant was asked if he admitted liability, and he said 'yes.' The lawyers among you will know that that was a totally improper question, and that the Court should not have even allowed it, much less based her holding upon the answer to it."

NewYorkCountryLawyer writes "The jury awarded the record company plaintiffs $675,000 in the Boston trial defended by Prof. Charles Nesson, SONY BMG Music Entertainment v. Tenenbaum. I was not surprised, since exactly none of the central issues ever even came up in this trial. The judge had instructed the jurors that Mr. Tenenbaum was liable, and that their only task was to come up with a verdict that was more than $22,500 and less than $4.5 million. According to the judge, her reason for doing so was that, when on the stand, the defendant was asked if he admitted liability, and he said 'yes.' The lawyers among you will know that that was a totally improper question, and that the Court should not have even allowed it, much less based her holding upon the answer to it."

KnightShift writes "Earlier this month the Department of Homeland Security halted the publication of the Monsterpocalypse Series 3: All Your Base Strategy Guide due to 'national security concerns.' In a statement on its website Privateer Press, which publishes the popular kaiju-inspired collectible miniatures game, reported that 'Homeland Security pulled the shipment for an intensive examination last week when it arrived in the United States. While no comment was made to the nature of the investigation, several crew members within Privateer Press believe the government became concerned over some of the more radical ideals espoused by several factions within the Monsterpocalypse game.' Privateer Press Chief Creative Officer Matt Wilson added that 'I am confident that the investigation's outcome will reaffirm the rights of free speech and protest of the radical environmental group Green Fury at the perceived devastation man is having on our planet as well as the freedom of people to practice religion without governmental oversight — even those religions which may very well bring forth the minions of the ancient Lords of Cthul.'"

djcb writes "After only 2 years since the previous version, now emacs 23 (.1) is available. It brings many new features, of which the support for anti-aliased fonts on X may be the most visible. Also, there is support for starting emacs in the background, so you can pop up new emacs windows in the blink of an eye. There are many other bigger and smaller improvements, including support for D-Bus, Xembed, and viewing PDFs inside emacs. And not to forget, M-x butterfly. You can get emacs 23 from ftp.gnu.org/gnu/emacs/ or one of its mirrors; alternatively, there are binary packages available, for example from Ubuntu PPA."

Al writes "Microsoft researchers have come up with a novel way to fine-tune the algorithms behind the company's new search engine, Bing: a game that harnesses human computing power to improve the results. Called Page Hunt, the game (which of course requires Silverlight to run) shows users a web page and asks them to figure out a search query that should produce the page within the first five results. The idea is to better understand user behavior and expectations and ultimately improve its search algorithms. Other human-computing projects have sought to digitize out-of-print text (reCAPTCHA) and image labeling (Google Image Labeler). Can Microsoft use a similar approach to gain the edge over its rival? Or does Google already have the edge with SearchWiki, which lets searchers re-rank its results?"

FelxH writes "Scientists have found that evolution is driving women to become ever more beautiful, while men remain as aesthetically unappealing as their caveman ancestors. The researchers have found beautiful women have more children than their plainer counterparts and that a higher proportion of those children are female. Those daughters, once adult, also tend to be attractive and so repeat the pattern." I just thought my standards were changing as I got older, but it turns out it's just science!

jccq writes "Both Google and Yahoo have been supporting Semantic Web markup (RDFa, RDF and Microformats) for weeks and months respectively. What they do, at the moment, is use the markup only for visual feedback by returning better looking, more functional 'page snippets.' But how would it look if you could get all these bits and compose them automatically to form a single structured information page about what you're searching for? The folks at the DERI institute have just released Sig.ma, a visual browser and mashup generator that will go all over the web of data and find dozens of sources to combine together when answering a user query. It also comes in API mode to reuse the information Sig.ma finds inside applications. Here are a screencast and a blog post, with semantic-web-geek details."

An anonymous reader writes "After months of waiting, the Google Latitude social maps service finally arrived for the iPhone ... but thanks to an Apple rejection of the natively developed app, it's a web app. Says Google on their blog, 'We worked closely with Apple to bring Latitude to the iPhone in a way Apple thought would be best for iPhone users. After we developed a Latitude application for the iPhone, Apple requested we release Latitude as a web application in order to avoid confusion with Maps on the iPhone.' But it gets worse for iPhone users: 'Unfortunately, since there is no mechanism for applications to run in the background on iPhone (which applies to browser-based web apps as well), we're not able to provide continuous background location updates in the same way that we can for Latitude users on Android, BlackBerry, Symbian and Windows Mobile.' Latitude has been sprouting new features lately and is an interesting take on social networking, but it looks like Apple is determined to ensure its users only get a seriously crippled implementation compared to the Android and WinMo versions. PC World put it less politely than Google did, saying, 'Google's new Latitude Web app for iPhone is so hamstrung that Apple customers may be wishing they had a BlackBerry or Android handset instead.'"

Dalambertian writes "The release of Spore's Patch 5 lets players export their creatures (and soon vehicles and buildings) in Collada format. This includes textures, bump mapping, and rigging for animation. Maxis developer Ocean Quigley recently posted a nice tutorial for getting said creatures into Maya, and other 3D packages are soon to follow. This could have a huge impact on the games industry, and the indie games scene in particular. Unfortunately, if the patch falls under the usual EULA, then any legitimate use of the art assets outside of the Spore community becomes impossible. EA is apparently just teasing us with its taste-but-don't-swallow policy, and at present it's not clear whether the genius that came out of Spore's development will ever truly be accessible to the game dev community."

Dalambertian writes "The release of Spore's Patch 5 lets players export their creatures (and soon vehicles and buildings) in Collada format. This includes textures, bump mapping, and rigging for animation. Maxis developer Ocean Quigley recently posted a nice tutorial for getting said creatures into Maya, and other 3D packages are soon to follow. This could have a huge impact on the games industry, and the indie games scene in particular. Unfortunately, if the patch falls under the usual EULA, then any legitimate use of the art assets outside of the Spore community becomes impossible. EA is apparently just teasing us with its taste-but-don't-swallow policy, and at present it's not clear whether the genius that came out of Spore's development will ever truly be accessible to the game dev community."

angry tapir writes "The Electronic Frontier Foundation is urging its supporters to pressure Google to build significant privacy protections into its Book Search service. The EFF suggests that the service gives Google access to new personal information: what people are searching for in out-of-print and out-of-copyright books. The EFF posted its concerns with Google Book Search on its blog, with EFF designer/activist Hugh D'Andrade saying the search product could infringe on 'privacy of thought.' Google, in a responding blog post, said it will protect user privacy, though it can't yet say how — the service hasn't been designed yet, nor approved."

Glyn Moody has a thoughtful piece taking a long look at the never-ending battle between pragmatists and purists in free and open software. "While debates rage around whether Mono is good or bad for free software, and about 'fauxpen source' and 'Faux FLOSS Fundamentalists,' people are overlooking the fact that these are just the latest in a series of such arguments about whether the end justifies the means. There was the same discussion when KDE was launched using the Qt toolkit, which was proprietary at the time, and when GNOME was set up as a completely free alternative. But could it be that this battle between the 'purists' and the 'pragmatists' is actually good for free software — a sign that people care passionately about this stuff — and a major reason for its success?"

Glyn Moody has a thoughtful piece taking a long look at the never-ending battle between pragmatists and purists in free and open software. "While debates rage around whether Mono is good or bad for free software, and about 'fauxpen source' and 'Faux FLOSS Fundamentalists,' people are overlooking the fact that these are just the latest in a series of such arguments about whether the end justifies the means. There was the same discussion when KDE was launched using the Qt toolkit, which was proprietary at the time, and when GNOME was set up as a completely free alternative. But could it be that this battle between the 'purists' and the 'pragmatists' is actually good for free software — a sign that people care passionately about this stuff — and a major reason for its success?"

Vinod writes "Yesterday thousands of people around Asia witnessed the longest solar eclipse of the century. Although it was not clearly visible in some parts due to overcast weather, thousands of people gathered to view this spectacular event. Yesterday's solar eclipse lasted for 6 to 7 minutes, making it the longest solar eclipse of the century. Here is a collection of 33 beautiful images of the solar eclipse from around the world."

Vinod writes "Yesterday thousands of people around Asia witnessed the longest solar eclipse of the century. Although it was not clearly visible in some parts due to overcast weather, thousands of people gathered to view this spectacular event. Yesterday's solar eclipse lasted for 6 to 7 minutes, making it the longest solar eclipse of the century. Here is a collection of 33 beautiful images of the solar eclipse from around the world."

The Walking Dude writes "The International Commission on Nuclear Non-proliferation and Disarmament (ICNND) has released an unclassified report exploring the possibility of cyber terrorists launching nuclear weapons. Ominous exploits include unreliable early warning sensors, unsecure nuclear weapons storage, transportation blunders, breaches in the chain of command, and the use of Windows on nuclear submarines. A traditional large-scale terrorist attack, such as the 2008 Mumbai attacks, could be combined with computer network operations in an attempt to start a nuclear war. Amidst the confusion of the traditional attack, communications could be disrupted, false declarations of war could be issued on both sides, and early warning sensors could be spoofed. Adding to this is the short time frame in which a retaliatory nuclear response must be decided upon, in some cases as little as 15 minutes. The amount of firepower that could be unleashed in these 15 minutes would be equivalent to approximately 100,000 Hiroshima bombs."

alphadogg writes "Inside a plain-looking garage on the Massachusetts Institute of Technology's campus, undergraduate Radu Gogoana and his team of fellow students are working on a project that could rival what major automobile manufacturers are doing. The team's goal is to build an all-electric car with similar performance capabilities of gasoline-only counterparts, which includes a top speed of about 161 kph, a family sedan capacity, a range of about 320 kilometers and the ability to recharge in about 10 minutes. They hope to complete the project, which they chronicle on their blog, by the third quarter of 2010. Each member of MIT's Electric Vehicle Team works almost 100 hours a week on the project they call elEVen. 'Right now the thing that differentiates us is that we're exploring rapid recharge,' Gogoana said during an interview. He said that many of today's electric vehicles take between two to 12 hours to recharge and he doesn't know of any commercially available, rapidly recharging vehicles."

ericatcw writes "'NoSQL' alternatives such as Hadoop and MapReduce may be uber-cheap and scalable, but they remain slower and clumsier to use than relational databases, say some. Now, researchers at Yale University have created a database-Hadoop hybrid that they say offers the best of both worlds: fast performance and the ability to scale out near-indefinitely. HadoopDB was built using PostGreSQL, though MySQL has also successfully been swapped in, according to Yale computer science professor Daniel Abadi, whose students built this prototype."

LinuxScribe tips a piece up at Linux.com with inside details on the design and construction of the Apollo 11 code. There are some analogies to open source development but they are slim. MIT drafted the code — to run on the Apollo Guidance Computer, a device with less grunt than an IBM XT — it had 2K of memory and a 1-MHz clock speed. It was an amazing machine for its time. NASA engineers tested, polished, simulated, and refined the code. "The software was programmed on IBM punch cards. They had 80-columns and were 'assembled' to instruction binary on mainframes... and it took hours. ... During the mission, most of the software code couldn't be changed because it was hard-coded into the hardware, like ROM today... But during pre-launch design simulations, problems that came up in the code could sometimes be finessed by... computer engineers using a small amount of erasable memory that was available for the programs. The software used a low-level assembly language and was controlled using pairs or segments of numbers entered into a square-shaped, numeric-only keyboard called a Display and Keyboard Unit... The two-digit codes stood for 'nouns' or 'verbs,' and were used to enter commands or data, such as spacecraft docking angles or time spans for operations." Reader Smark adds, "The Google Code Blog announced today that the Virtual AGC and AGS project has transcribed the Command Module and Lunar Excursion Module code used during the Apollo 11 moon landing. The code is viewable at the VirtualAGC Google Code Page."

NewYorkCountryLawyer writes "In what could be a turning point in the RIAA's litigation campaign, a Michigan judge has decided to appoint pro bono counsel to represent college student Brittany Kruger, who is being sued by the RIAA in SONY BMG Music Entertainment v. Kruger. As this article points out, 'if other judges follow suit, things will change dramatically.' That is because the RIAA's entire litigation campaign is based upon economic inequality of the litigants: almost none of those sued by the RIAA can afford legal representation, and the RIAA has a huge economic incentive to fight cases to the death, while the defendants have no economic incentive greater than the 'settlement' amount, which they often pay even when entirely innocent. If the courts follow the lead of District Judge Timothy P. Greeley [PDF], and appoint pro bono legal counsel, the RIAA will no longer be able to achieve the easy pickings default judgments and 'settlements' it's routinely obtained in the past."

NewYorkCountryLawyer writes "In what could be a turning point in the RIAA's litigation campaign, a Michigan judge has decided to appoint pro bono counsel to represent college student Brittany Kruger, who is being sued by the RIAA in SONY BMG Music Entertainment v. Kruger. As this article points out, 'if other judges follow suit, things will change dramatically.' That is because the RIAA's entire litigation campaign is based upon economic inequality of the litigants: almost none of those sued by the RIAA can afford legal representation, and the RIAA has a huge economic incentive to fight cases to the death, while the defendants have no economic incentive greater than the 'settlement' amount, which they often pay even when entirely innocent. If the courts follow the lead of District Judge Timothy P. Greeley [PDF], and appoint pro bono legal counsel, the RIAA will no longer be able to achieve the easy pickings default judgments and 'settlements' it's routinely obtained in the past."

christian.einfeldt writes "Halloween has come early for Linux-loving gamers in the form of the scary Penumbra game trilogy, which has just recently been ported natively to GNU-Linux by the manufacturer, Frictional Games. The Penumbra games, named Overture, Black Plague and Requiem, are first-person survival horror and physics puzzle games which challenge the player to survive in a mine in Greenland which has been taken over by a monstrous infection/demon/cthulhu-esque thing. The graphics, sounds, and plot are all admirable in a scary sort of way. The protagonist is an ordinary human with no particular powers at all, who fumbles around in the dark mine fighting zombified dogs or fleeing from infected humans. But the game is remarkable for its physics engine — rather than just bump and acquire, the player must use the mouse to physically turn knobs and open doors; and the player can grab and throw pretty much anything in the environment. The physics engine drives objects to fly and fall exactly as one would expect. The porting of a game with such a deft physics engine natively to Linux might be one of the most noteworthy events for GNU-Linux gamers since the World of Goo Linux port."

NewYorkCountryLawyer writes "The RIAA's motion to keep secret the record companies' 1999-to-date revenues for the copyrighted song files at the heart of the case has been denied, in the Boston case scheduled for trial July 27th, SONY BMG Music Entertainment v. Tenenbaum. The Judge had previously ordered the plaintiff record companies to produce a summary of the 1999-to-date revenues for the recordings, broken down into physical and digital sales. On the day the summary was due to be produced, instead of producing it, they produced a 'protective order motion' asking the Judge to rule that the information would have to be kept secret. The Judge rejected that motion: 'the Court does not comprehend how disclosure would impair the Plaintiffs' competitive business prospects when three of the four biggest record labels in the world — Warner Bros. Records, Sony BMG Music Entertainment, and UMG Recording, Inc. — are participating jointly in this lawsuit and, presumably, would have joint access to this information.'"

NewYorkCountryLawyer writes "The RIAA's motion to keep secret the record companies' 1999-to-date revenues for the copyrighted song files at the heart of the case has been denied, in the Boston case scheduled for trial July 27th, SONY BMG Music Entertainment v. Tenenbaum. The Judge had previously ordered the plaintiff record companies to produce a summary of the 1999-to-date revenues for the recordings, broken down into physical and digital sales. On the day the summary was due to be produced, instead of producing it, they produced a 'protective order motion' asking the Judge to rule that the information would have to be kept secret. The Judge rejected that motion: 'the Court does not comprehend how disclosure would impair the Plaintiffs' competitive business prospects when three of the four biggest record labels in the world — Warner Bros. Records, Sony BMG Music Entertainment, and UMG Recording, Inc. — are participating jointly in this lawsuit and, presumably, would have joint access to this information.'"

NewYorkCountryLawyer writes "The RIAA's motion to keep secret the record companies' 1999-to-date revenues for the copyrighted song files at the heart of the case has been denied, in the Boston case scheduled for trial July 27th, SONY BMG Music Entertainment v. Tenenbaum. The Judge had previously ordered the plaintiff record companies to produce a summary of the 1999-to-date revenues for the recordings, broken down into physical and digital sales. On the day the summary was due to be produced, instead of producing it, they produced a 'protective order motion' asking the Judge to rule that the information would have to be kept secret. The Judge rejected that motion: 'the Court does not comprehend how disclosure would impair the Plaintiffs' competitive business prospects when three of the four biggest record labels in the world — Warner Bros. Records, Sony BMG Music Entertainment, and UMG Recording, Inc. — are participating jointly in this lawsuit and, presumably, would have joint access to this information.'"

Mark Mathson writes "Two Google Voice apps have been released for Blackberry and Android phones. The Android app is the most complete, and it takes over the native dialer, address book and call log. Users won't be bothered with accidentally dialing numbers through the device phone number. The Blackberry app is less integrated, accessing only the native address book, and uses its own dialer. Users can't simply go into the call log and return missed calls. They need to go back to the address book and select Google Voice to make the call. Still, it solves a big problem. The apps also allow users to access the core features of Google Voice. You can listen to or read voicemails and text messages (all voicemails are automatically transcribed), access call history, send SMS messages and place international calls at low rates."

NewYorkCountryLawyer writes "In what I can only describe as a shocker, the Judge in SONY BMG Music Entertainment v. Tenenbaum has, on her own, issued an order questioning whether the jury will be allowed to decide the 'fair use' issue at all, or whether the Judge herself should decide it. Judge Nancy Gertner's decision (PDF) notes that the courts have traditionally submitted the fair use defense to the jury, but questions whether that was appropriate, since the courts have referred to it as an 'equitable' — as opposed to a 'legal' — defense. This decision came from out of the blue, as neither party had raised this issue. IMHO the Judge is barking up the wrong tree. For one, all across the legal spectrum in the US, 'equitable' defenses to 'legal' claims are triable to a jury. Secondly, as the Judge herself notes, the courts have traditionally submitted the issue to the jury. It also seems a bit unfair to bring up a totally new issue like that and give the parties only 6 days to do their research and writing on the subject, at a time when they are feverishly preparing for a July 27th trial."

NewYorkCountryLawyer writes "In what I can only describe as a shocker, the Judge in SONY BMG Music Entertainment v. Tenenbaum has, on her own, issued an order questioning whether the jury will be allowed to decide the 'fair use' issue at all, or whether the Judge herself should decide it. Judge Nancy Gertner's decision (PDF) notes that the courts have traditionally submitted the fair use defense to the jury, but questions whether that was appropriate, since the courts have referred to it as an 'equitable' — as opposed to a 'legal' — defense. This decision came from out of the blue, as neither party had raised this issue. IMHO the Judge is barking up the wrong tree. For one, all across the legal spectrum in the US, 'equitable' defenses to 'legal' claims are triable to a jury. Secondly, as the Judge herself notes, the courts have traditionally submitted the issue to the jury. It also seems a bit unfair to bring up a totally new issue like that and give the parties only 6 days to do their research and writing on the subject, at a time when they are feverishly preparing for a July 27th trial."

CWmike writes "Attacks exploiting the latest Microsoft vulnerability are quickly ramping up in quantity and intensity, several security companies warned today as they rang alarms about the developing threat. Symantec, Sunbelt Software, and SANS' Internet Storm Center bumped up their warnings yesterday after Microsoft announced that attackers were exploiting a bug in an ActiveX control used by IE to display Excel spreadsheets. There is no patch for the vulnerability; Microsoft didn't release one in today's Patch Tuesday. A temporary fix that sets the 'kill bits' of the ActiveX control is available, but experts believe it's likely most users won't take advantage of the protection. Symantec raised its ThreatCon ranking to the second of four steps. "We're seeing it exploited, but currently on a limited scale," said Symantec's Ben Greenbaum. Sunbelt also bumped up its ranking, to high." Firefox users can't be too complacent; Secunia is warning of a 0-day in version 3.5.

Slashdot contributor Bennett Haselton says "Using FTP to administer a website is insecure -- but not for the reasons that you probably think. You yourself can stop using FTP any time you want, but how do we change the landscape Net-wide, to reduce the number of breakins using stolen FTP credentials?" You know what to click on if you want to read the rest.

On July 1st I found that one of my less important websites, hosted on a low-cost shared Web hosting service, had been broken into. A friend emailed me to say that the site was showing up in Google's search results with the Google "This site may harm your computer" warning listed next to it. I found that on one of the pages, about 1,500 HTML script tags had been inserted, loading JavaScript files from pseudo-random Russian hostnames like "www.chk06.ru" and "www.errghr.ru", none of which are currently resolving. Usually, when such script tags are maliciously inserted into a page on a website, the script tags attempt to install spyware on the machines of people who visit the site.

I immediately replaced the infected file on the website with the backed-up clean copy from my machine, and changed the password on the website in case the attacker had gotten in by using the old one. (The original file with the script tags inserted is here if you want to examine it, but use with caution -- if the .ru hostnames in the script tags start resolving again, then opening the file could cause the JavaScript on the pages to be loaded, which might infect your machine.) Then I started investigating (a) how this probably happened; (b) whether future similar attacks could be prevented, by changing some defaults in the way that hosting accounts are set up; and (c) whether the incentives for hosting providers are such that these changes are likely to happen by themselves, or whether it will require some third-party advocacy to change what we think of as "best practices".

Denis Sinegubko, the webmaster of Unmask Parasites, a free service that scans websites on demand for signs of break-ins, says:

The majority of web site compromises happen because of:

1. Stolen FTP credentials. Spyware on webmasters' computers: key-loggers, traffic sniffers (FTP protocol sends username/password as plain text), trojans that steal credentials from various programs' configuration files (FTP clients, DreamWeaver, etc).
2. Security holes in popular web software: CMS (Joomla, Drupal, etc), Forums (phpBB, vBulletin, Simple Machines, etc), Blogs (WordPress). Once a vulnerability discovered, hackers configure their automated tools to search the web for websites running vulnerable versions of the software and exploit them. This can be done easily and at almost no cost when they have an army of zombie computers.
3. Security hole in "in-house" web software. Many novice (and even many experienced) web developers don't properly sanitize user input making various attacks possible (SQL injections, XSS, etc)
4. Poor security practices (Something that should be manually configured by site/server admins and cannot be fixed with automated security updates): Weak passwords, open ports, insufficiently strict permissions for limited accounts, files and directories with world write permissions, etc.

I didn't have any third-party web software or custom-made software installed on the PublicEditorMyAss.com site, the password was a seven-letter meaningless mix of letters and numbers, and I didn't have permission to change most of the things like open ports and file permissions. That left the possibility of stolen FTP credentials. This is in fact what Sinegubko says is the most common cause of such break-ins:

I guess 90% of attacks use stolen FTP credentials this year. Check this Google's graph that shows the top 10 malware sites as counted by the number of compromised web sites that referenced it:
http://googleonlinesecurity.blogspot.com/2009/06/top-10-malware-sites.html

I reviewed 4 most widespread of them (Gumblar, Martuz, Goooogleadsense, Googleanalytlcs). All four used stolen FTP credential to penetrate web sites and upload malicious content. The chances are the rest used this vector too.

When the PublicEditorMyAss.com site was set up, the default setting was for pages to be edited over FTP. Even though FTP sends and receives passwords without encrypting them (in contrast with alternatives like SFTP or "secure FTP", which encrypts passwords), for a long time I had assumed that this was not a major security problem, because in order for an attacker to intercept the passwords in transit, they would have to control a machine somewhere on the path between my home computer and the PublicEditorMyAss.com server. I figured this wasn't worth worrying about, because it was much more likely that an attacker would attempt to steal the password by installing spyware on my home computer. And if an attacker managed to do that, then I assumed that the risk of passwords being stolen by spyware was about the same whether I used FTP or SFTP -- because either way, the spyware could just steal my password by reading it out of a configuration file where the password was stored. (Even though FTP and SFTP programs both store passwords in an encrypted format, the programs have to be able to decrypt the passwords in order to use them whenever the user wants to open a connection. So the spyware could just mimic whatever steps the client programs use to decrypt the stored passwords, in order to steal one of my passwords stored in a file.) So, I assumed it made no difference whether I used FTP or SFTP.

But according to what Sinegubko told me, this reasoning was probably wrong. The problem is that even though spyware installed on your machine could read passwords that are stored in configuration files, it would be a lot of work to write a spyware program that could do this, because every FTP program and SFTP program stores passwords according to a different algorithm. It's much simpler for spyware to simply watch the traffic sent and received from your machine, so that any unencrypted passwords will be spotted:

[Passwords can be stolen by] sniffers that read all TCP traffic on local computers. Like personal firewalls but malicious. They can easily intercept FTP credentials since they are sent as a plain text.

Sinegubko describes how one of his contacts obtained evidence that a common spyware program was doing exactly this:

One of them even infected a spare WinXP computer (with Gumblar) to test the consequences. On the infected computer he created a new account in a popular FTP client and saved it. The server address was correct (his server) and the username/password pair was not valid. A few hours later in FTP logs, he discovered login attempts that used that invalid username/password pair from a Singapore IP, then from a Florida IP, the some other country's IP. Apparently the FTP credentials were somehow stolen from that infected computer.

I know of only two instances where I've ever definitely been infected with spyware. I don't do stupid things like downloading and running strange programs from third-party sites, so I think both infections were probably caused by a site exploiting a security hole in Internet Explorer, or in a plug-in like Adobe Acrobat or the Flash player. Both times, once I noticed I was infected, I got rid of the infection with Malwarebytes, but I don't know how much damage the spyware did in the meantime.

So this was a case where a little knowledge can be a dangerous thing. If I had known nothing about Internet architecture, and someone told me "FTP is less secure than SFTP," I would have found a way to switch to administering the site via SFTP. But because I knew that the main reason FTP was considered "insecure" was because it transmitted passwords unencrypted, but I also knew that most of of the machines relaying those passwords in transit were secure and trustworthy, I thought it didn't matter. Now it seems that is probably how my password got compromised after all.

In that case, why don't more people switch to administering their sites via SFTP instead of FTP? Here are the steps it took me to enable SFTP on my GoDaddy hosting account. Feel free to use this as a reference, but the obvious point is that as long as this many steps are required, it's safe to say that most users won't be switching:

1. Go to the "Hosting" menu and pick "My Hosting Account."
2. Next to the name of your website, pick "Manage Account." This will open the Hosting Control Center.
3. In Hosting Control Center, click to expand the "Settings" options.
4. In the "Settings" control panel, click the "SSH" icon.
5. You will see a page saying "SSH is not set up", and prompting you to enter a phone number so that their automated service can call you with a PIN number. After you enter your phone number, the phone rings a second later, and you enter the PIN in a form on the GoDaddy website.
6. You will then see a page which says:

   Current Hosting Account Status: Pending Account Change
   Your request to enable SSH is being processed. This upgrade may take up to 24 hours.

In fact, even if only one step were required to switch, most users probably wouldn't change from the default setting to use FTP, due to the eternal, unchangeable fact that most people do not change their default settings, ever. (What percent of users ever change the default set of toolbars that are displayed at the top of their Web browser window?)

If more Web hosting companies made SFTP the default, then the number of websites that were compromised by stolen login credentials, would probably go down. Spyware authors might start to make their programs smarter at that point, enabling them to read the passwords stored by popular FTP and SFTP programs, so that it would make no difference whether the passwords were transmitted in the clear or not. However, this would be harder for spyware authors to do correctly, so it would at least raise the bar for a successful malware attack, and the number of compromised websites would be reduced.

Unfortunately, Web hosting companies don't have much incentive to make users switch to the more secure SFTP protocol. This isn't necessarily true of all security risks; sometimes the hosting company has a strong incentive to pass on the right wisdom (and select the right default settings) for their customers. From the hosting company's point of view, you could divide risks into three categories:

• Risks where the hosting company pays a large part of the price for a customer's machine being compromised. For example, if a cyber-criminal takes over a customer's machine and uses it to launch a denial-of-service attack by sending it a flood of traffic, the hosting company will see that traffic spike on their network. The hosting company has the most incentive to help prevent these types of attacks.

• Risks where the hosting company doesn't directly pay a price for the customer's machine being compromised, but they may have to deal with complaints sent in by third parties. For example, a customer's website could get broken into, and script tags could be inserted into the pages that cause visitors' machines to be infected with spyware. Those visitors might complain to the webmaster of the infected site, or they might complain to the hosting company, which then forwards the complaint to the webmaster. The hosting company may have to provide a few minutes of tech support to the customer, advising them to change their password and scan their own machine for spyware, but they probably won't incur any other material costs.

• Risks where neither the hosting company nor the customer pays a price for the machine being infected, but the price is paid by "Internet users as a whole." The only attack that I can think of in this category, is an attack where a cyber-criminal inserts key words into your web page and links them to his site, in order to increase his Google ranking for searches for those key words. Neither the website owner, nor any visitors to the website, are victimized directly; the harm being done is that the quality of Google search results is reduced for everybody. The only reports of the attack would probably come from "good Samaritan" Web surfers, who tell the hosting company or the webmaster that one of their pages has been vandalized.

When a customer's FTP credentials are stolen, the price paid by the hosting company lies somewhere in the middle. An attacker who stole my current PublicEditorMyAss.com credentials would only be able to deface the content on the site, but they wouldn't be able to launch an attack against a third-party network (my PublicEditorMyAss.com hosting account doesn't have the ability to initiate an outgoing connection to a third-party site).

Weighing in the other direction are the costs of switching to SFTP. If existing customers are forcibly switched over, phone lines will be clogged by customers wanting to know why their old method of logging in to their site has suddenly stopped working. A better choice would be to allow existing customers to stay with FTP while making SFTP the default for new customers. But there is a time and money cost of changing anything, even a default setting.

So GoDaddy doesn't have much incentive to make SFTP their new default. Indeed, I've used many different shared hosting companies before I started running proxies exclusively on dedicated servers, and none of the shared hosting companies ever used anything but FTP as the default method for customers to administer their websites. So who can blame them? They're not making the choice that makes the most sense for their customers or for Internet security as a whole, they're making the choice that makes the most sense in terms of costs and benefits for themselves, and I'm not being judgmental about that. We shouldn't expect most companies to ever behave in any other way.

That's why I think that glib "solutions" to security problems, like "Everybody install anti-virus software", or "Everybody stop using Windows", aren't helpful, because regardless of whether these ideas would work if everybody actually followed them, the fact is that most people won't. The problems have to be addressed in terms of changing incentives for the choices people make.

What's an idea for reducing the risks of FTP credentials stolen by malware, that addresses the incentives problem? Maybe give tax breaks to Web hosting companies that set up customer accounts to use SFTP instead of FTP by default? Or ask more computer vendors to include a desktop link to pre-installed SFTP software, so that when Web hosting companies present options to their customers, it's easier for users to choose the SFTP option since they have a client already installed? (I was tempted to recommend that Microsoft include a universal SFTP client pre-installed in Windows with a prominent desktop link, but the problem with that is that if almost everybody used the same SFTP client, malware authors would have greater incentive to reverse-engineer the algorithm that the client used to store saved passwords -- and then passwords would be just as easily accessible to spyware, as if the user were using FTP all along. So a good mix of SFTP clients is safer for this purpose.)

Since the difference between SFTP and FTP usually only matters in cases where a customer's machine has been infected with malware, obviously the best solution is to avoid malware altogether, but that's much harder problem to solve, as long as malware authors can keep finding security holes in Internet Explorer and other popular programs. Making SFTP the new standard for Web hosting accounts is something that we know how to do, right now. The incentives aren't currently right for Web hosting companies to make it happen. But there may be ways to change that, and I'll bet some people can think of better ideas than the ones I've suggested. I'm just saying that the incentives problem is where attention should be focused.