Slashdot Mirror

An anonymous reader writes "A popular Reddit submission today suggested Google's payment team was looking to incorporate Bitcoin, naturally sparking a lot of excitement in the virtual currency community. TNW reached out to Google regarding the claim and learned that it was indeed false. 'As we continue to work on Google Wallet, we're grateful for a very wide range of suggestions,' a Google spokesperson told TNW. 'While we're keen to actively engage with Wallet users to help inform and shape the product, there's no change to our position: we have no current plans regarding Bitcoin.'"

Nerval's Lobster writes "Twenty-six photos of the space shuttle Challenger disaster have appeared online. According to io9, "Michael Hindes of West Springfield, MA, was sorting through boxes of his grandparents' old photographs when he happened upon 26 harrowing photos of the Space Shuttle Challenger Disaster of 1986. To his knowledge, these photos have never been publicly released." Hindes told the Website that the photographer was "a friend of his grandfather, who worked for NASA as an electrician on the Agency's hulking, spacecraft-schlepping crawler transporters." Someone at Reddit (which also has a lengthy thread devoted to the images) also threw together a GIF of the liftoff and subsequent explosion."

192_kbps writes "Catcher in the Rye author J. D. Salinger wrote the short story The Ocean Full of Bowling Balls and left depository copies with a few academic libraries with the understanding that the work would not see mass distribution until the mid-21st century. The only authorized place to read the story is in a special reading room at Princeton where electronics are not allowed and a librarian continuously babysits the reader. A PDF of the story, as well as two other unpublished stories, appeared on private bittorrent site what.cd where a huge bounty had been placed for the work. Incredibly, the uploader (or someone connected to the uploader) bought an unauthorized copy on eBay for a pittance. The file, Three Stories, is making the bittorrent rounds but can also be read on mediafire."

gnujoshua writes "The FSF has launched a fundraiser for Replicant, the fully free Android distro. As of version 4.0 0004, Replicant runs on 10 different devices, but, the hopes are that with additional funds, the developers will be able to purchase more devices and grow the project so it will run on more devices. Yesterday, the FSF asked Mark Shuttleworth if the Ubuntu EDGE would commit to using only free software and be able to support Replicant. But, in an AMA on Reddit, Shuttleworth confirmed that Replicant would not be supported because the EDGE hardware will require proprietary drivers/binary-blobs." Replicant now supports ten devices, compared to only the HTC Dream not all that long ago.

benjymouse writes "Following a blog post by security company Secunia, VideoLAN (vendor of popular VLC media player) president Jean-Baptiste Kempf accuses Secunia of lying in a blog post titled 'More lies from Secunia.' It seems that Secunia and Jean-Baptiste Kempf have different views on whether a vulnerability has been patched. At one point VLC threatened legal action unless Secunia updated their SA51464 security advisory to show the issue as patched. While Secunia changed the status pending their own investigation, they later reverted to 'unpatched.' Secunia claimed that they had PoC illustrating that the root issue still existed and 3rd party confirmation (an independent security researcher found the same issue and reported it to Secunia)." There are two bugs: one is a vulnerability in ffmpeg's swf parser that vlc worked around since they don't support swf. The VLC developers think Secunia should have reported the bug to ffmpeg, which seems pretty sensible. The other bug is an uncaught exception in the Matroska demuxer with overly large chunks that merely results in std::terminate being called; the Matroska demux maintainer apologized, but, despite dire warnings from Secunia that it could be exploitable, it most certainly is not.

Contributor Tom Geller writes: "I recently wrote an article about Bitcoin and the law for Communications of the Association for Computing Machinery. In researching it I ran into plenty of wishful thinkers, ridiculous greedheads, and out-and-out nutbags promising a rosy future. I also found the expected blowback from vehement naysayers who think the best way to combat crazy is with more crazy. But despite that, I walked away believing that Bitcoin — or a decentralized cryptocurrency like it (let's call it "Coin") — is here to stay. As an interested outsider to the Coin economy, and a long-time technology commentator, here's what I think its future holds." Read on for Tom's predictions. Coin's primary use will continue to be in international transactions.

While people wonder "When will I be able to pay for groceries and utilities with Bitcoin?", that use might never come. But Coin already shines in international transactions, where it provides a clear advantage over current systems, which are expensive and complicated hassles. That's why PayPal has become the go-to solution: it just works, albeit with typical fees around 3-5%.

Coin reduces that fee to a small fraction of 1% (when sent directly), and is available in places where PayPal fears to tread (Zimbabwe, Pakistan, etc.). Coin transactions occur instantly, with no intermediary, and — for better or worse — without recourse.

That leads to Coin's second primary use: to store liquid value in places where other stores (such as national currency) are unreliable. For all the cries that Bitcoin is "unstable", it seems to have settled quite nicely after its April spike. Certainly it looks appealing to anyone in an unstable country, and it's even tempting for those in places where the currency's been on a long, slow slide, like Argentina.

Coin's big vulnerability is its interface with national currencies ("real money").

None of this matters if you can't get your money out again. And that's where governments are taking a close look at Coin — with good reason. First, Coin exchanges have a terrible track record; second, such points of exchange are bottlenecks through which financial crimes often flow.

In the U.S., the government's Financial Crimes Enforcement Network (FinCEN) issued guidance asserting its right to regulate "Money Services Businesses", and defining exchanges dealing in virtual currencies (including Bitcoin) as such. That's a problem for many existing Coin exchanges, as the costs for complying with regulations are high. But if there's not a stable and reliable way to get national currency in and out of Coin, its value will plummet.

Conversely, Coin's value is likely to shoot up if this interface gets easier. Right now, it's surprisingly hard to buy Bitcoin (et al.) directly with U.S. dollars. Most methods require bank wires, tricky multi-step workarounds, and high fees. (I found Coinbase to be the most accessible, albeit with long delays and a bank verification procedure similar to PayPal's.) If Coin becomes as easy to buy as a gift card and redeemable at every bank, its practical utility will soar for everyday people.

No government will make Coin illegal.

Despite bloviation by a few politicians and baseless statements in the press, Coin is not per se illegal, and there have been no serious attempts to make it so. The FinCEN guidance mentioned earlier explicitly says that ordinary users — those who buy and sell using Coin — are "not subject to FinCEN's... regulations for MSBs". It's possible that other government agencies will continue to claim authority, but there doesn't seem to be much support for it.

A lot of noise has been made about Coin's use in illegal business, for example on Silk Road (where it's the only currency). But law enforcement is realizing that the currency isn't to blame, much as they've started to say that Craigslist isn't responsible for crimes organized through its ads. I predict that that distraction will continue to surface from time to time, but will essentially die soon.

Even if governments attempt to illegalize Coin, there's only so much they could do to criminalize ordinary users. Again, Coin's real vulnerabilities are higher up the chain. However....

If Coin succeeds, governments will get involved — for the better.

"Noooo!!!" scream the cryptoanarchists who are Coin's pioneers. "Keep the government out of this! Coin can't be controlled! Nobody can take away our freedoms!" What they don't realize is that this attitude doesn't reflect the values of Coin's future users. The benefits of "freedom" matter to the innovators; convenience and safety matter to those who follow.

"Government" in this case could also be a government-size corporation, syndicate, or other entity. The important thing is that it's big enough to administer, back, and enforce initiatives to protect the Coin economy. Whatever that "bully entity" is, Coin adopters will welcome it because of two major flaws currently in (Bit)Coin's design.

First, Coin is ridiculously easy to destroy by accident. If you lose the private cryptographic key that identifies your coin, it's gone. Not just stolen, but removed entirely from the economy, so nobody will ever own it again. Consider these stories on Bitcointalk.org, where within a few messages the cumulative total tops 10,000 BTC — currently valued around a million dollars. A central authority could address this in several ways such as tracking, restitution, etc.. People don't care that their cash is anonymous when the rent money disappears.

Second, the entire system is vulnerable to a brute-force attack. Without getting into the specifics, Coin (well, Bitcoin) works because it assumes that at least 50% of the computer power on the network is held by honest players. But a recent 51% attack on Feathercoin (a Coin with much lower capitalization) showed that it's possible for a single party (or syndicate) to trump that.

Let's do the math for Bitcoin, the Coin with by far the highest capitalization, at just north of USD$1 billion (1 x 10^9). To reliably overwhelm the network, you'd need computing power delivering about 100,000 gigahashes per second. Computers optimized for Bitcoin processing are currently available for about $1,000/gigahash, so sufficient computing power can be bought for $100 million. Electricity cost for the deed would be about $200,000/day.

O.K., it's not something a basement hacker could whip up. But there are over 400 people, and thousands of syndicates with a billion dollars in the U.S. alone. Perhaps at least one of them is crazy enough to drop 1% of the wealth to partially control (or completely destroy) a billion-dollar system. (Hell, one of them recently spent 1/10th of that price tag on his wedding.)

Those are only the two biggest technical concerns. Then there's the galaxy of financial services (such as insurance) that's available for fiat money, but which would be hard or impossible to provision for Coin without a central authority. Time could overcome these barriers; a bully entity would overcome them faster, and with greater public buy-in.

Bitcoin is not the end game.

Along those lines, I don't believe that Bitcoin will be the ultimate winner in this game. It's the 1.0, and a brilliant first effort at that. But it's not perfect, and several pretenders to the throne already claim to fix some of its bugs. In fact, shifting conditions may require periodic issuance of new Coin as a matter of course. (As I said before, I believe such issuances will involve a central authority.)

These predictions all assume that Coin will grow, and there are many reasons it might not. However, I'm bullish on it for the long-term. It's already proven its value in use; the public is used to handling Coin-like money (viz. Square Wallet); and its first major hurdles are in the past. Now it's ready to enter a fascinating future.



- - - - -
Tom Geller (tomgeller.com) writes about technology and business. He's best known for Drupal-related work that includes eight video courses for lynda.com, a book for Peachpit Press, and corporate work for Acquia, Commerce Guys, and others. He first became involved in computers as a grade-school student in 1976, playing "Hunt the Wumpus" on a 100-pound monster that spewed tractor-feed paper onto the floor. He lives in Oberlin, Ohio.

Techdirt explains the strange story of a lawsuit-happy bus company in Illinois which managed to tick off a cadre of determined redditors by calling them uncomplimentary names in the reddit forums. This all started when a bus passenger, Jeremy Leval, reported unsavory behavior by a company employee (telling an exchange student "If you don't understand English, you don't belong at the University of Illinois or any 'American' University.") and said so online. Besides the name calling on reddit, the bus company threatened the forum moderator with libel charges, and over insults posted by the bus company employees which the moderator had deleted. Further, company owner "[Dennis] Toeppen threatened to sue Leval, saying, 'The attorneys for Suburban Express are reviewing this incident with a view towards filing the appropriate legal action against this meddlesome MBA student.'" Attorney Ken White of Popehat got involved, though, and asked with good effect whether the company had fully considered the Streisand Effect. The strangest part? Toeppen's former involvement as a domain squatter.

Nerval's Lobster writes "With emotions high in the hours and days following the Boston Marathon bombing, hundreds of people took to Reddit's user-generated forums to pick over images from the crime scene. Could a crowd of sharp-eyed citizens uncover evidence of the perpetrators? No, but they could definitely focus attention on the wrong people. 'Though started with noble intentions, some of the activity on reddit fueled online witch hunts and dangerous speculation which spiraled into very negative consequences for innocent parties,' read an April 22 posting on Reddit's official blog. 'The reddit staff and the millions of people on reddit around the world deeply regret that this happened.'"

New submitter brennz writes "Cryptographers on StackExchange were discussing CipherCloud, using some promotional material from the same to provide detail. CipherCloud responded with a DMCA takedown request that some have characterized as abusive."

Feast Huggston writes "Indie Dev Darkseas Games has released an early gameplay trailer (video) of Road Redemption, a modern reimagining of the Sega Genesis (and later 3DO/N64/PSX/PC) motorcycle combat-racing classic Road Rash. The project has been in development since early 2012 and utilizes the Unity 4 engine. It is currently slated for release on PC, Mac, and Linux in 2014, with a stretch goal of eventually reaching the major game consoles. So far, it has raised over $24,000 of its $160,000 pledge goal on Kickstarter. While Road Rash creator Dan Geisler recently stated that he was interested in making another Road Rash, he is apparently not directly involved in this project, although he has given it his blessing. I grew up playing the heck out of this on Genesis and PC and it already appears that for many, a rebirth of this franchise was long overdue."

First time accepted submitter rroman writes "Bill Gates is answering questions on reddit. He talks about the work that is being done by Bill & Melinda Gates Foundation, about his life and about his opinions on various topics." Jump right to the answers.

First time accepted submitter rroman writes "Bill Gates is answering questions on reddit. He talks about the work that is being done by Bill & Melinda Gates Foundation, about his life and about his opinions on various topics." Jump right to the answers.

TechCrunch is one of the many outlets to report that Microsoft's Surface Pro tablet computer sold out on its first day of wide availability. Business Insider points to Reddit threads complaining that "selling out" was largely a product of not having all that many in stock to begin with, in some cases not even enough to cover pre-ordered devices.

Space MMORPG EVE Online is best known for its amazing stories, and on Sunday it added a new epic tale. The leader of a huge coalition, preparing for a moderately sized assault, mis-clicked and accidentally warped himself into enemy territory without his support fleet, endangering his massive ship worth an estimated $3,500. Realizing the danger, he called upon every ally he could, and the enemy fleet rallied in turn, leading to an incredible 3,000-player battle. What's also impressive is that the EVE servers stayed up for the whole fight, when most MMOs struggle with even a few hundred players at the same time. The Penny Arcade report spoke with CCP Games for some information on how they managed that: "It’s hard to wrap your head around, but they sometimes move the in-game space itself. 'We move other solar systems on the node away from the fight. This disconnects anyone in those systems temporarily, but spares them from the ongoing symptoms of being on an overloaded server,' Veritas explained. 'It helps the fight system a little bit as well, especially if a reinforcement fleet is traveling through those other systems. This was done for the fight over the weekend, but is rare.' ... They do have a built-in mechanism for dealing with massive battles, however: They slow down time itself. ... Once server load reaches a certain point, the game automatically slows down time by certain increments to deal with the strain. Time was running at 10% speed during this 3,000-person battle, which is the maximum amount of time dilation possible."

An anonymous reader writes "EA's latest SimCity game requires users to log on online even for single player. After being unable to log on for three hours, one of its users chimed in with his very polite $0.02 opinion, only to get himself banned by EA admins. Another great victory for DRM." Update: 01/29 18:00 GMT by S : The player's ban has been lifted, and it seems to have happened for an unrelated issue anyway.

SchrodingerZ writes "Representative Darrell Issa, a Republican congressman from California, has drafted a bill for the internet. The bill, aptly named the Internet American Moratorium Act (IAMA), is, 'a two-year moratorium on any new laws, rules or regulations governing the Internet.' In short it hopes to deny any new government bills related to lawmaking on the internet for the next two years. The bill was first made public on the website Reddit, and is currently on the front page of Keepthewebopen.com, a website advocating internet rights. 'Together we can make Washington take a break from messing w/ the Internet,' Issa writes on his Reddit post. The initial response to the bill has been mixed. Users of Reddit are skeptical of the paper's motives and credibility. As of now, the bill is just a discussion draft, whether it will gain footing in the future is up in the air."

another random user writes with news of a vulnerability in the Skype password reset tool "All you need to do is register a new account using that email address, and even though that address is already used (and the registration process does tell you this) you can still complete the new account process and then sign in using that account Info (original post in Russian)" concealment adds a link to another article with an update that Skype disabled the password reset page as a temporary fix.

An anonymous reader writes "Apple today posted its second Samsung apology to its UK website, complying with requests by the UK Court of Appeal to say its original apology was inaccurate and link to a new statement. As users on Hacker News and Reddit point out, however, Apple modified its website recently to ensure the message is never displayed without visitors having to scroll down to the bottom first."

_0x783czar writes "Filmmaker Brad Canning has released a hi-def video of Curiosity's landing. This video was captured in low res, and then extrapolated and re-rendered by Canning to produce some of the most stunning imagery ever captured on an alien world. It took Canning over a month to complete the process. He used motion tracking to add sound effects which in turn give you the sensation of the ride of your life."

kungfugleek writes "Throughout the launch of subscription-free MMO Guild Wars 2, ArenaNet has stated that the player-experience is their top priority and, if necessary, they would suspend digital sales to protect their servers from crushing loads. While the launch has been considerably more stable than most big-budget MMO's in recent months, some players, especially those in Europe, have experienced trouble logging in and getting booted from servers. So yesterday, ArenaNet held true to their word, and temporarily suspended digital sales from their website. Personally, I think this is an incredible show of customer-centered focus. To turn down purchases, especially first-party purchases, where the seller gets a higher percentage of the sale, during a major title's first week of sales, would be inconceivable by other companies. Is this a bad move for ArenaNet? Will there be enough of a long-term payout to make up for the lost sales? And does this put pressure on other major studios to follow suit in the face of overwhelming customer response?" New submitter charlieman writes with related news: "Yesterday ArenaNet banned players for exploiting an error in their new game Guild Wars 2. The so called exploit was in fact an error on ArenaNet's side, leaving weapons at a low price from some vendors. Players saw this and started making profits buying and selling the items. Should players be penalized for errors committed by the game developers? Taking in account that the game is fairly new, the economy hasn't stabilized yet and most don't know the value of things. Today they've given these players a 'second chance', but shouldn't they be apologizing instead?"

TheNextCorner writes with news on where CmdrTaco has been hiding. Quoting Malda's IamA blurb over at that Reddit thing: "In 1997 I started Slashdot.org. For several years, we pioneered news aggregation and on-line communities while exploring our niche of the 'net under the slogan, 'News for Nerds, Stuff that Matters.' Our work was later expanded upon at countless other more successful sites including Reddit and the Huffington Post. I left Slashdot last year, took a long time off, and then started work at the Washington Post Co's WaPo Labs their digital media R&D skunkworks group. I work as their Chief Strategist and Editor-at-Large, contributing what I can to a variety of projects ranging from their Social Reader, to some projects under development. From here I am able to continue to explore my interests in news, journalism, technology, and communities. ... I'll hopefully be answering from 2pm-5pm ET"

solardiz writes "A new community-enhanced version of John the Ripper adds support for GPUs via CUDA and OpenCL, currently focusing on slow-to-compute hashes and ciphers such as Fedora's and Ubuntu's sha512crypt, OpenBSD's bcrypt, encrypted RAR archives, WiFi WPA-PSK. A 5x speedup over AMD FX-8120 CPU per-chip is achieved for sha512crypt on NVIDIA GTX 570, whereas bcrypt barely reaches the CPU's speed on an AMD Radeon HD 7970 (a high-end GPU). This result reaffirms that bcrypt is a better current choice than sha512crypt (let alone sha256crypt) for operating systems, applications, and websites to move to, unless they already use one of these 'slow' hashes and until a newer/future password hashing method such as one based on the sequential memory-hard functions concept is ready to move to. The same John the Ripper release also happens to add support for cracking of many additional and diverse hash types ranging from IBM RACF's as used on mainframes to Russian GOST and to Drupal 7's as used on popular websites — just to give a few examples — as well as support for Mac OS X keychains, KeePass and Password Safe databases, Office 2007/2010 and ODF documents, Firefox/Thunderbird/SeaMonkey master passwords, more RAR archive kinds, WPA-PSK, VNC and SIP authentication, and it makes greater use of AMD Bulldozer's XOP extensions."

Myrv writes "Reports have started popping up that Cisco is pushing out and automatically (without permission) installing their new Cloud Connect firmware on consumer routers. The new firmware removes the user's ability to login and administer the router locally. You now must configure the router using Cisco's Cloud connect service. If that wasn't bad enough, the fine print for this new service allows Cisco to track your complete internet history. Currently, it appears the only way to disable the Cloud Connect service is to unplug your router from the internet."

Have you ever wondered what a game of Civilization 2 would look like after running for 10 years? According to one gamer it's a "hellish nightmare of suffering and devastation." "Lycerius" says that he's been playing the same game of Civ II off and on for over a decade. Some highlights of the marathon session include: 1700 years of war, the ice caps melting over 20 times, constant guerrilla uprisings, and "Roughly 90% of the world's population has died either from nuclear annihilation or famine caused by the global warming that has left absolutely zero arable land to farm." It's too bad you can't build the Hanging Gardens more than once.

erich666 writes "Ben Rothman has created a five-foot-wide scale model of most of Northwestern University, where he was a sophomore this past year. This campus model is unique: it is the first modeled in Minecraft and then printed on a 3D printer. It is also the largest Minecraft 3D print to date, and will be on display in the main lobby of the largest building on campus in a few weeks. Ben began in November and spent about 600 hours recreating the campus. He notes that "this felt like playing a game more than a modeling task." The cost of the print material was about $2000 to $2500, well less than the cost of the display case being built for it (admittedly, labor costs are included for the case). The free Mineways program was used for export. It can help upload an exported Minecraft model to Shapeways, i.materialise, or other 3D print service. Models cost as little as $5."

Hugh Pickens writes "Yoni Appelbaum reports in the Atlantic that as part of their coursework in a class that studies historical hoaxes, undergraduates at George Mason University successfully fooled Wikipedia's community of editors, launching a Wikipedia page detailing the exploits of a fictitious 19th-century serial killer named Joe Scafe. The students, enrolled in T. Mills Kelly's course, Lying About the Past, used newspaper databases to identify four actual women murdered in New York City from 1895 to 1897, along with victims of broadly similar crimes, and created Wikipedia articles for the victims, carefully following the rules of the site. But while a similar page created previously by Kelly's students went undetected for years, when students posted the story to Reddit, it took just twenty-six minutes for a redditor to call foul, noting the Wikipedia entries' recent vintage and others were quick to pile on, deconstructing the entire tale. Why did the hoaxes succeed in 2008 on Wikipedia and not in 2012 on Reddit? According to Appelbaum, the answer lies in the structure of the Internet's various communities. 'Wikipedia has a weak community, but centralizes the exchange of information. It has a small number of extremely active editors, but participation is declining, and most users feel little ownership of the content. And although everyone views the same information, edits take place on a separate page, and discussions of reliability on another, insulating ordinary users from any doubts that might be expressed,' writes Appelbaum. 'Reddit, by contrast, builds its strong community around the centralized exchange of information. Discussion isn't a separate activity but the sine qua non of the site. If there's a simple lesson in all of this, it's that hoaxes tend to thrive in communities which exhibit high levels of trust. But on the Internet, where identities are malleable and uncertain, we all might be well advised to err on the side of skepticism (PDF).""

An anonymous reader writes "The University of Pittsburgh has been plagued with 78 bomb threats (and counting) since February 14. It started low-tech, with handwritten notes, but has progressed to anonymous emails. Nearly every campus building has been a target. The program suspected is anonymous mailer Mixmaster. The university has been evacuating each building when threats come in (day or night), and police departments from around Allegheny County have offered assistance with clearing each building floor by floor with bomb sniffing dogs. There is a popular tracking blog set up by a student as well as a growing Reddit community. Is there any foreseeable defense (forensic or socially engineered) to a situation like this?"

First time accepted submitter say_hwat writes "Today Reddit announced that it has banned subreddits dedicated to posting sexualized imagery of people under the age of 18. Last year, the site came under fire for r/jailbait, a subreddit dedicated to posting images of people under 18. The subreddit was shut down, but many others, such as r/gaolbait and r/bustybait, continued existing or sprung up afterwards. The policy change today came hours after a thread on Something Awful called for a public campaign against Reddit's lax attitude towards the sexualization of children. The Something Awful thread creator claims that Reddit's administrators know about child pornography being traded, but refuse to act. Among others, the thread creator cites r/preteen_girls as being particularly egregious."

Bennett Haselton is back with a thought provoking essay about not just an incident of Internet censorship on an American university campus, but a proposed method of propagating news, so that relevant stories aren't buried as easily by chance or time. Bennett writes: "The real scandal in the story of Arizona State University blocking students' access to the Change.org website, is not just that it happened, but that the block persisted for two months without being mentioned in the media. As a card-carrying member of the 'outrage grapevine,' I surely think we need a way to respond faster." Read on for the rest.

This is a tale of censorship. From about December 7th until February 3rd, Arizona State University was blocking all users of its network from accessing the Change.org website, where users can create petitions and circulate them for other users to sign. (The lame excuse offered by the university was that a student had created a petition and was using the change.org site to "spam" other ASU accounts; of course, even if that had been the real reason, it would have easily been possible for ASU to block mail from the change.org servers, without blocking all students from accessing the website.) On February 3rd, after a furor of sudden media attention, the block was lifted.

But that's not the worst instance of censorship in this story. What's more disconcerting is that for the two months that the block was in place, the university's decision to block the website received no media coverage at all. This despite the fact that it was a political website being blocked, at a university with over 70,000 students — a publicly funded university, where a court would have almost certainly found that the blocking violated the First Amendment, had the case ever gone to trial.

I first heard about the original tumblr blog post describing the blocking situation, when someone posted the link on my Facebook wall. So as I went to my profile to read it, I was already predisposed to be pissed off, since almost every link that someone posts on my wall is either an outright scam, or a one-sided rant about an issue that is actually much more complicated than the author thinks it is. Well, it was a one-sided rant, all right, but it was about an issue where there was really only one side: ASU evidently got annoyed about a petition on change.org protesting tuition hikes, so they blocked the site. As I re-read the post, I kept thinking: How can this be true, if we haven't heard about it anywhere else? Perhaps an overzealous ASU network admin put the block in place, and it was reversed just a few hours later, but the tumblr post never got updated? I emailed the blog post's author, Eric Haywood, and the owners of change.org, asking how long the block had lasted before the site was un-blocked — I just assumed that the block couldn't possibly still be in place, two months later. But they confirmed that it was.

The link got blogged and re-blogged around tumblr a few times in December and January, and then, at about the same time as I was sending my emails, the issue suddenly "tipped" into public awareness as it was linked from a widely-read reddit post. Then the blocking received its first official "media" coverage in an article in the ASU student newspaper, the State Press. (Eric Haywood called the article "just ASU spreading it's own propaganda about this issue (they own, run and control the State Press)". I don't know about propaganda, but it did seem a little amateurish — the article says "The author of the original blog post is unknown", even though the guy's name, Eric Haywood, was listed in the post, along with his email address.) Then finally the story spilled over into the "real" media with an article in the Huffington Post, in which the author pointed out that the blocking likely violated the First Amendment. (A few hours after that article appeared, the university unblocked the site so that ASU students could access Change.org on their network again.)

None of the articles commented, however, on how the issue had remained buried for so long; the State Press article said only that the tumblr blog "began circulating the Internet Thursday." A reader could be forgiven for reading the articles and scratching their head and thinking: What is it that just happened? If the site has been blocked for two months, why is this only being written about now?

The answer, I think, is that most people don't realize how arbitrary the process is that determines what issues get news coverage and which ones don't. Before I got involved in a few issues that did receive media coverage (in my late teens, through Peacefire and in co-operative projects with others), I had just assumed that "the news" consisted of all stories that somebody in the media business considered to be "news-worthy." Some journalists just want to sell papers (or attract page-views), while other (better) journalists strive to tell the most important stories — but either way, surely their decision to cover something, or not, should depend on attributes of the story, right? Not on whatever else happened to be going on, or other random circumstances? But then, when I started to be involved in efforts to actually get media coverage for this or that issue, some issues ended up receiving far more coverage than even I thought they really deserved, and others received far less.

Sometimes reporters would frankly admit that they thought something was a good story, but they couldn't cover it because their plate was full that day, and even if they had time later, by that time the issue would be too "cold." Some years ago, I wrote in Slashdot about an experiment in which I sued some spammers in Small Claims court, and filed the court briefs with some of the pages stuck together with a sliver of paper. When the judges rejected the motions (as I expected, since Small Claims judges have been near-uniformly hostile to spam suits), I went to the courthouse to look at the files and found the pages still attached, indicating that the judges had rejected the motions without reading them. What I didn't mention in the original article, was that I had planned at first to give the exclusive story to a Seattle Times reporter, who came down to the courthouse to see the files and interviewed me afterwards. The paper must have thought there was a real story there, since they later sent a photographer to come down and take pictures of the files as well. But then something else landed on the reporter's desk and pushed the story back a few days, and days became weeks, and then the beat switched to a different reporter. When I eventually called to ask if they were still interested, they replied, essentially, that without a current "hook", they couldn't write the story, because now it would look like they weren't doing their jobs for the long intervening period when they didn't write about it, so it was better now to drop it entirely.

Traditional media seems hamstrung by two limitations here: (1) an inefficiency at finding the most important stories that most "deserve" to be written about; and (2) a convention that you can't cover something that's more than a few days old, because then the story looks "dated." The Internet doesn't seem to suffer from limitation #2, as demonstrated by the fact that the blocking of change.org at ASU on December 7th was still able to ignite a controversy on February 3rd. But it does still suffer from limitation #1, as illustrated by the Internet's near-total silence on the issue from December 7th through February 2nd.

Many other people have a pet issue that they think is being "suppressed" by the "liberal media" or the "corporate-owned media" (depending on which side they're on), but the evidence suggests that no conspiracy is necessary to keep an important story from being written about. Sometimes arbitrariness and chance is enough.

My naive earlier assumption — that stories received media coverage because of some combination of attributes of those stories — seems to be a specific instance of a cognitive fallacy, where if you observe that some group of things achieved some end result Z, and all of those things started out possessing some attribute X, then you think that attribute X caused the achievement of result Z. In this case, because we observe that most stories which receive news coverage are important and interesting (with obvious exceptions), we assume that most interesting and important news stories will receive news coverage. Thus, it's frustrating and counterintuitive when we find out about an issue that cries out to be written about, but was ignored by the media. The truth is more likely to be that for every important and interesting story that gets coverage, there are likely to be many other equally important and interesting stories that never make it into the news.

(By the way, I've been unable to find a precise name for the cognitive fallacy wherein if you observe that all things which achieve goal Z have attribute X, then you come to think that attribute X is a good predictor of achieving goal Z. It's not the same as the "post hoc fallacy" or the mistaken belief that "correlation equals causation," because both of those are about the illusion of causation. I'm talking about the correlation being an illusion in the first place — where people come to believe that attribute X is a good predictor of achieving result Z, ignoring the fact that there may be enormous numbers of cases where attribute X is true, but which never go on to achieve result Z. If you know the exact name of that fallacy, shoot me an email and submit a comment below.)

In an earlier article, I proposed a system that would eliminate the arbitrariness in determining which pieces of content are selected to be "the best" and broadcast to a larger audience. I suggested using the algorithm to determine which songs could be pushed out to listeners of a streaming music system, but it could be modified to select which news stories would be considered "important" enough to push out to readers of a news site. (The gist of the idea is that you have each piece of content rated by a random sample of users chosen from the system, and if their average rating is high enough, it gets pushed out to everyone else. If the random sample size is large enough, their average rating will be non-arbitrary, and will be determined by the attributes of the content itself.)

Maybe that algorithm is flawed or maybe someone could find a better one, but the more important thing to realize is that we don't live in that world now, where the attention given to an event is determined by attributes of that event. In the world we actually live in, it's safe to assume that many events take place every day that would have been covered by the news, if it hadn't been for a reporter's missed phone call or some other random happenstance. I have no doubt that the blocking of Change.org on ASU's network could have been a front-page story on CNN, under the right circumstances. I just think that in an ideal world, it should have ended up as a front-page story on CNN regardless of the "circumstances" — but real life, no favorable circumstances means no CNN story.

That might seem like a lot to read into a single case of media silence about a political website being censored at a state university. But while Change.org is no longer blocked at ASU, the inefficient and arbitrary means by which news "events" are discovered and distributed to a wide audience will be with us for a long time.

Wednesday is here, and with it sites around the internet are going under temporary blackout to protest two pieces of legislation currently making their way through the U.S. Congress: the Stop Online Piracy Act (SOPA) and the Protect-IP Act (PIPA). Wikipedia, reddit, the Free Software Foundation, Google, the Electronic Frontier Foundation, imgur, Mozilla, and many others have all made major changes to their sites or shut down altogether in protest. These sites, as well as technology experts (PDF) around the world and everyone here at Slashdot, think SOPA and PIPA pose unacceptable risks to freedom of speech and the uncensored nature of the internet. The purpose of the protests is to educate people — to let them know this legislation will damage websites you use and enjoy every day, despite being unrelated to the stated purpose of both bills. So, we ask you: what can you do to stop SOPA and PIPA? You may have heard the House has shelved SOPA, and that President Obama has pledged not to pass it as-is, but the MPAA and SOPA-sponsor Lamar Smith (R-TX) are trying to brush off the protests as a stunt, and Smith has announced markup for the bill will resume in February. Meanwhile, PIPA is still present in the Senate, and it remains a threat. Read on for more about why these bills are bad news, and how to contact your representative to let them know it.

Note: This will be the last story we post today until 6pm EST in protest of SOPA. Why is it bad?

The Stop Online Piracy Act is H.R.3261, and the Protect-IP Act is S.968.

The intent of both pieces of legislation is to combat online piracy, giving the Attorney General and the Department of Justice power to block domain name services and demand that links be stripped from sites not involved in piracy. The problem is that the legislation, as written, is vague and overly-broad. For one thing, it classifies internet sites as "foreign" or "domestic" based entirely on their domain name. A site hosted abroad like Wikileaks.org could be classified as "domestic" because the .org TLD is registered through a U.S. authority. By defining it as "domestic," Wikileaks would then fall under the jurisdiction of U.S. laws. Other provisions are worded even more poorly: in Section 103, SOPA lays out the definition for a "foreign infringing site" as one where "the owner or operator of such Internet site is committing or facilitating the commission of criminal violations punishable under [provisions relating to counterfeiting and copyright infringement]." The problematic word is facilitating, as it opens the door to condemning sites that simply link to other sites.

The most obvious implication of this is that search engines would suddenly be responsible for monitoring and policing everything they index. Google indexed its trillionth concurrent URL in 2008. Can you imagine how many people it would take to double check all of them for infringing content? But the job wouldn't end at simply looking at them — Google would have to continually monitor them. Google would also have to somehow keep track of the billions of new sites that spring up daily, many of which would be trying to avoid close scrutiny. Of course, it's an impossible task, so there would need to be automated solutions. Automation being imperfect, it would leave us with false positives. Or perhaps sites would need to be "approved" to be listed. Either way, we'd then be dealing with censorship on a massive scale, and the infringing sites themselves would continue to pop up.

But the problems don't end there; in fact, SOPA defines "Internet search engine" as a service that "searches, crawls, categorizes, or indexes information or Web sites available elsewhere on the Internet" and links to them. That's pretty much what we do here at Slashdot. It's also something the fine folks at Wikipedia and reddit do on a regular basis. The strength of all three sites is that they're heavily dependent on user-generated content. Every day at Slashdot, readers deposit hundreds and hundreds of links into our submissions bin. Thousands of comments are made daily. We have a system to surface the good content, but the chaff still exists. If we suddenly had a mandate to retroactively filter out all the links to potentially copyright-infringing sites in our database, we wouldn't have many options. We're talking about reviewing hundreds of thousands of submissions, and every comment on 117,000+ stories. And we're far from the biggest site around — imagine social networks needing to police their content, and all the privacy issues that would raise.

Small sites and new sites would be hurt, too. A website isn't a single, discrete entity that exists on its own. A new company starting up a site would have to worry about its webhost, registrar, content provider, ISP, etc. The legislation would also raise significant financial obstacles. New companies need investments, and that would be much less likely (PDF) if the company could be held liable for content uploaded by users. On top of that, if the site was unable to live up to the vague standards set by the government and the entertainment industry, they could be on the receiving end of a lawsuit, which would be expensive to fight even if they won (and such laws would never, ever be abused). It's hard to conceptualize the internet without noting its unrivaled growth, and SOPA/PIPA would surely stifle it.

This legislation hits near and dear to the hearts of many Slashdotters; if SOPA/PIPA pass, IT staff for companies small and large are going to have their hands full making sure they aren't opening themselves to legal action or government intervention. Mailing lists, used commonly and extensively among open source software projects, would be endangered. Code repositories would need be scoured for infringing content; the bill allows for the strangling of revenue sources if its anti-infringement rules aren't being met. VPN and proxy services become only questionably legal. The very nature of the open source community — as the EFF puts it, "decentralized, voluntary, international" — is not compatible with the burdens placed on internet sites by SOPA and PIPA.

What can we do?

So, what can we do about it? There are two big things: contact your representative, and spread the word. Slashdot readers, on the whole, are more technically-minded than the average internet user, so you're all in a position to share your wisdom with the less internet-savvy people in your life, and get them to contact their representative, too. Here's some useful information for doing so:

Propublica has a list of all SOPA/PIPA supporters and opponents.
Here is the Senate contact list and the House contact list.
You can also use the EFF's form-letter, the Stop American Censorship form-letter, or sign Google's petition.
If you don't live in the U.S., you can petition the State Department. (And yes, you have a dog in this fight.)
SOPAStrike has a list of companies participating in the protest, and this crowd-sourced Google Doc tracks companies that support the legislation. Tell those companies what you think.

Further reading: Wikipedia has left their SOPA and PIPA pages up. The EFF has a series of articles explaining in more depth what is wrong with the bills. Here are some protest letters written to Congress from human rights groups, law professors, and internet companies.

Go forth and educate.

New submitter FSWKU writes "Courtesy of Penny-Arcade, Paul Christoforo of Ocean Marketing provides a perfect example of what not to do when interacting with customers, especially if you are doing so on behalf of another company. There's name dropping, an ego trip worthy of Charlie Sheen, and even what appears to be a promise to commit libel. Other outlets are already picking up the story and running with it, and an examination of Ocean Marketing's website has generated accusations of plagiarism."

Over the weekend, we discussed news that the PlayStation Network had been down for days, with Sony saying little other than that it was caused by an "external intrusion" and that they were "rebuilding their network." Many of you have written to point out that the outage continues, with Sony saying they "don't have an update or timeframe to share at this point." One theory about the cause behind the network's downtime was recently espoused on Reddit by 'chesh,' a moderator at PlayStation-modding enthusiast site PSX-Scene.com. According to him, recently released custom firmware called Rebug allowed people to essentially turn their PS3s into dev consoles, though some features were missing. A different group supposedly used this firmware to get on PSN through the developer networks, and also found that fake credit card numbers were not being validated for game purchases, leading to what chesh called "extreme piracy." He acknowledges that this theory is speculation. Sony's handling of this outage is starting to draw attention from the government. Update: 04/26 20:47 GMT by S : Sony just posted more details, saying that a massive data breach occurred: An "unauthorized person" has PSN users' "name, address (city, state, zip), country, email address, birthdate, PlayStation Network/Qriocity password and login, and handle/PSN online ID." Billing address, password questions, and credit card info may also have been taken.

1sockchuck writes "Today is World Backup Day, an occasion to back up your personal data and financial information and check your restores. For those needing motivation — a group that apparently includes 15 percent of data centers — the Slashdot archives bear witness to date disasters at providers small (Ma.gnolia) and large (Microsoft). The World Backup Day initiative grew out of a thread at Reddit, and invites online backup services to observe the occasion by offering discounts."

revealingheart writes "As 2010 comes to a close, it could be remembered as the year pay-what-you-want pricing reached the mainstream. Along with the two Humble Indie Bundles, YAWMA offer a game and music bundle, and Rock, Paper and Shotgun reports on the curiously named Bundle of Wrong, made to help fund a developer who contracted pneumonia. More examples include when Reddit briefly let their users donate an amount of their choosing for upgraded accounts when they were having financial difficulties; the Indie Music Cancer Drive launched Songs for the Cure for cancer research; and Mavaru launched an online store where users can buy albums for any amount. Can pay-what-you-want become a sustainable mainstream business model? Or is it destined to be a continued experiment for smaller groups?"

An anonymous reader writes "Zen Magnets, a maker of neodymium magnet toys, has been under assault by the much larger and better distributed Buckyballs, maker of a nearly identical toy. After Zen Magnets listed a couple of eBay auctions with a set of Buckyballs and a set of their own, asking customers to decide which was of higher quality, Buckyballs replied with a legal threat. Zen Magnets countered with an open video response, in which they presented the voicemail from Buckyballs and demonstrated their claims of quality through repeatable, factual tests, providing quantitative data to back up their assertions. Soon after, Buckyballs CEO Jake Bronstein got the video taken down from YouTube via a DMCA takedown, despite the fact that the only elements not made by Zen Magnets are the voicemail he left and some images of himself, which are low-resolution and publicly available online. Zen Magnets has decided to file a counter-takedown notice — not effective yet apparently, since the video is still marked as taken down." Slashdot's sister company ThinkGeek sells Buckyballs. No, we don't get kickbacks, but we totally should.
Update: 09/23 13:23 GMT by KD : Reader Coopjust (872796) points out one place where the disputed video has been mirrored.

An anonymous reader writes "Zen Magnets, a maker of neodymium magnet toys, has been under assault by the much larger and better distributed Buckyballs, maker of a nearly identical toy. After Zen Magnets listed a couple of eBay auctions with a set of Buckyballs and a set of their own, asking customers to decide which was of higher quality, Buckyballs replied with a legal threat. Zen Magnets countered with an open video response, in which they presented the voicemail from Buckyballs and demonstrated their claims of quality through repeatable, factual tests, providing quantitative data to back up their assertions. Soon after, Buckyballs CEO Jake Bronstein got the video taken down from YouTube via a DMCA takedown, despite the fact that the only elements not made by Zen Magnets are the voicemail he left and some images of himself, which are low-resolution and publicly available online. Zen Magnets has decided to file a counter-takedown notice — not effective yet apparently, since the video is still marked as taken down." Slashdot's sister company ThinkGeek sells Buckyballs. No, we don't get kickbacks, but we totally should.
Update: 09/23 13:23 GMT by KD : Reader Coopjust (872796) points out one place where the disputed video has been mirrored.

Mirk writes "In a recent interview, Don Knuth wrote: 'The way a lot of programming goes today isn't any fun because it's just plugging in magic incantations — combine somebody else's software and start it up.' The Reinvigorated Programmer laments how much of our 'programming' time is spent pasting not-quite-compatible libraries together and patching around the edges." This 3-day-old article has sparked lively discussions at Reddit and at Hacker News, and the author has responded with a followup and summation.

Nithendil writes "guyhersh from reddit.com describes the situation (warning: title NSFW): Based on what I've seen today, here's what went down. Reddit user Empirical wrote javascript code where if you copied and pasted it into the address bar, you would instantly spam that comment by replying to all the comments on the page and submitting it. Later xssfinder posted a proof of concept where if you hovered over a link, it would automatically run a Javascript. He then got the brilliant idea to combine the two scripts together, tested it and it spread from there."

Nithendil writes "guyhersh from reddit.com describes the situation (warning: title NSFW): Based on what I've seen today, here's what went down. Reddit user Empirical wrote javascript code where if you copied and pasted it into the address bar, you would instantly spam that comment by replying to all the comments on the page and submitting it. Later xssfinder posted a proof of concept where if you hovered over a link, it would automatically run a Javascript. He then got the brilliant idea to combine the two scripts together, tested it and it spread from there."

AlbionTourgee writes "It is reported that Gmail and Yahoo mail at least have been blocked in Iran, along with many English-language sites. While news of demonstrations seems to be getting out of the country, the government appears to be trying to prevent people within Iran from communicating and from learning what's happening. It remains to be seen whether TOR and Freenets can be effective to combat this sort of effort to block communications, and whether the general circulation of information about the protests around the world will help."

The following was written by frequent Slashdot editorial contributor Bennett Haselton. He writes "Recently author Annalee Newitz created a bit of a stir with the revelation that she had bought her way to the front page of the story-ranking site Digg. Since Digg allows any registered user to go to a story's URL and "digg it" in order to push it upward through the story-ranking system, it was inevitable that services like User/Submitter would come along, where a Digg user can pay for other users to cast votes to push their story up to the top. User/Submitter says they are currently backlogged and not taking new orders, but they say the service will return and will soon feature services for manipulating similar sites like Digg competitor reddit. Even if the new U/S features are vaporware, it probably won't be long before other companies offer similar services. But it seems like all of these story-ranking sites could prevent the manipulation by making one simple change to their voting algorithm."

Before getting to that though, what's at stake? The revelation that Digg could be trivially manipulated did not cause the site to be overrun with bogus stories all at once -- most of the links on the front page still look interesting. Newitz said that her story, which was deliberately chosen to be as lame as possible, got buried by users soon after it hit the front page, which is how Digg cleans spam stories out of the system. However, she also said that in the time that the story was on the front page, the story got about 35,000 hits, whereupon her server crashed and the traffic was thereafter divided with two other mirror sites; presumably if the server had stayed up, she would have gotten about 100,000 hits, all for an initial expenditure of $100, which is orders of magnitude cheaper than buying advertising any other way. (If she had done the same thing with a good story instead of a deliberately lame one, presumably the traffic gains resulting from word-of-mouth and repeat visitors would have been even higher.) As long as the benefits outweigh the cost, more and more unscrupulous users are likely to pay for such services, and since the service provided by User/Submitter is easy to copy, probably similar services will spring up to drive the price down even further. If nothing changes, then eventually sites like Digg and reddit will be flooded with nothing but paid stories. Most of the stories on the front page will probably still be interesting (why would you pay to promote a link, unless it was good enough to draw repeat visitors and get the most value for your money?), but everybody who didn't pay for votes would eventually get crowded out.

One Good Samaritan, Jim Messenger, managed to shut down one Digg manipulation service called Spike The Vote, by buying it out (for a paltry $1,275 - they must have wanted to get out fast) and then turning over to Digg. He warned people that the moral was: Don't sign up for Digg manipulation services, since Digg might get your information from them and then you'll be banned. Actually, I think the moral is simpler: if you're going to try anything like that, do it from a throwaway account that you don't care about losing if you get caught. (Or, only sign up with manipulation services which publish a privacy policy promising never to share your information, especially not with sites like Digg. Then if Digg buys them out, then the site has violated their privacy policy and Digg as the new owner inherits the liability for that, so you can sue them, right?) But as the idea spreads, it will probably become impractical to play whack-a-mole by shutting down manipulation services as they keep springing up. Any time the cost of providing a service (clicking on a few buttons) is small compared to the benefits of receiving the service (100,000 hits in 24 hours), a market will exist for it one way or another, whether you're talking about drug-smuggling, prostitution, or selling Digg votes.

However, I think there's a way to fix it, and here it is. Have you ever seen people put a link in their profile to their HotOrNot picture, saying "Go here and vote me a 10!!"? Similar to the people who send links to their friends and say, "I just posted this, please Digg this for me!" The difference is that on HotOrNot, it doesn't work. On HotOrNot, you can cast votes for a picture in one of two ways. The first way is to go directly to the URL for someone's picture; the second way is to load the front page, where a random picture from the database is selected at random, and vote for whatever picture comes up. The catch is that the votes that you cast by going directly to someone's picture, are simply ignored in calculating the average score for that photo. The only votes that are counted are the votes cast for random pictures displayed on the front page. So if you want to manipulate the voting for your own photo, you'd have to load the front page hundreds of thousands of times waiting for your own picture to come up repeatedly, which is hard to do without being detected.

To enable an algorithm like this on Digg and reddit, the sites could present users with a sidebar box that displays random stories from the pool of recent submissions. (reddit already has a serendipity feature that users can use to select a random story from the available pool, which could be leveraged for this purpose.) Once a story has collected, say, 100 votes -- or whatever number is considered sufficient to provide a representative random sample of how the story appeals to people -- then on that basis the story can either be buried or promoted to the top, where it would be seen by, say, 100,000 people. The elegance of this system is that bad content would only be seen by 100 people on average before it's buried, whereas good content would be seen by all the 100,000 people who view it on the front page, so the average user sees 1,000 pieces of good content for every 1 piece of crap. Even if 75% of users ignore the random story box completely, that just means you have to display it to 400 users instead of 100 before you have enough data points for a good random sample.

I suggested essentially the same algorithm for how an open-source search engine could work without being vulnerable to gaming even by those who understood all of its inner workings. The main difference, of course, is that Digg and reddit actually exist now. Digg declined to comment on the possible merits of such an algorithm; reddit's Steve Huffman said that the idea sounded interesting, although even if the idea got full buy-in, naturally any proposed change would take a long time to bring to fruition.

But it seems that an algorithm similar to this one would be the only way to prevent cheating on sites like Digg that sort content based on user votes. So it's ironic that HotOrNot, the only site I know of that is using a variation of this algorithm and hence is probably the most secure against cheating, is also the one where cheating is least likely to be a problem. Getting a high placement on Digg might enable you to make some money, but getting a highly rated picture on HotOrNot isn't going to make you rich (unless it helps you meet a millionaire who is using the site to find his third wife). Also, making HotOrNot meritocratic doesn't give people an incentive to improve the "content" that they submit, because up to the limits of what can be done with hair and wardrobe, you can't make yourself that much more attractive. With Digg and reddit, on the other hand, I might work harder at submitting a good story, if I knew that it worked in a perfectly meritocratic fashion that pushed good stories right to the top.

If you do this, you don't need any of the other countermeasures listed in Annalee Newitz's follow-up piece "Herding the Mob", such as analyzing user account history for suspicious behavior. As long as most users in the system are legitimate, most of the users in your random sample will be legitimate as well, and their voting will be representative of what most of the community would think. A story could also get a high score within a specific sub-area of the site like the sports page, but kept off of the main site front page, if the story got a high score from a random sampling of sports-oriented users but a low score from a sample of everyone else.

You could even sub-divide the topical areas further, down to a level of granularity like "Would Barack Obama make a good president?" A site called Helium is currently trying something like this -- users can submit essays on subjects like "Racial inequality or oppression: Do they truly exist in todays society?", and vote on how to rank other essays against each other. The voting works on the random selection principle that I'm advocating here -- users are presented with a pair of randomly chosen essays from a given category (not necessarily the same category for which you submitted an essay) and told to vote for the better one, so there's no way to tell all your friends to go to the link for your essay and give it a high rating. The main limitation though is that while the votes can push you to the top of a particular sub-category, that won't cause your article to "break out" and get to the front page of the site -- Helium says that those front-page articles are chosen at random by employees from the among those articles that are highly rated within their narrow category, so just being good is not enough. And if you want to write something that doesn't fit into any existing categories, you have to create a new category for your essay like I did, which will then be a category containing one essay that nobody else ever sees. Perhaps both of these limitations could be overcome by adding the option to rate randomly selected essays on a scale of 1 to 10 -- thus providing a way to rate essays that exist alone in their own category, and also a way to find the best essays across the entire site, rated against each other.

If Digg or reddit adopts a model that uses the random-voter-selection method, then there's the issue of how to handle the votes cast by users under the current system -- the ones who go to a story link and click "digg it", which is what makes the existing system vulnerable to gaming. Digg could do what HotOrNot does, and just ignore those votes outright, but users would probably view this as deceptive. Perhaps Digg could say that votes cast by self-selected users (the ones who go straight to the story link) are counted along with votes from randomly-selected users, unless the average of the self-selected votes is significantly different from the average from the randomly-selected votes, in which case the self-selected votes are ignored. Hopefully this would satisfy most users and preserve the "community" feel of the site, and only a spoilsport would point out that counting the self-selected votes only if they agree with the randomly-selected votes, is exactly the same thing as ignoring the self-selected votes entirely.

I asked the owner of User/Submitter what he thought about this. He was willing to talk with surprising candor (except about things like his real name) and spoke as if he'd like nothing better than for Digg to make changes to their service that would block his system from working. To both Annalee Newitz and me, he said, "We find it interesting that Digg still allows anybody to view any user's diggs. By way of this 'feature,' User/Submitter is able to verify that our users actually digg the stories they're given. Without this feature, Digg users are given complete digging privacy, and User/Submitter cannot exist." Some have expressed skepticism that the Digg cheaters really want Digg to fix the problem. But as a security tester, I can understand that mentality. If you report a problem, and a company doesn't fix it, eventually you get tempted to publicize the problem to draw attention to it. And if they still don't fix it, and it's a fairly benign security hole that merely enables some pranksters to get some undeserved attention, why not build a service around exploiting the hole, if will highlight the problem and encourage it to get fixed?

So I'm going to go out on a limb and say the U/S guy sincerely wants Digg to be more secure. However I disagree with him about his proposed fix, that of hiding a user's digg history. First of all, it won't stop anyone who creates a multitude of accounts all under their control -- you can use Tor to make it appear that you're coming from many different IP addresses, and build up a history of "legitimate" votes before using your votes to push sites deliberately. (Be sure to use different browsers, or vary your User-Agent header if you know how to do that, so that a series of votes from identical browser types doesn't give you away.) If your service does work by paying other users to cast votes, then you could still audit whether they're casting their votes honestly -- for example, create a test story, use 5 sockpuppet accounts to digg it 5 times, then tell your confederate to digg it. If the number of diggs doesn't go up to 6, then you know they're not honoring their end of the deal, and kick them out of the system. As long as most confederates think there might be some chance of getting caught if they don't play along, most of them would probably cast the votes that they were paid for, since it costs them nothing to do so and they wouldn't want to jeopardize their stream of easy money.

I asked the owner of User/Submitter if his service could defeat the random-sampling algorithm I described. "It would slow down our service," he answered, "but certainly wouldn't eliminate it because eventually a U/S User will have an opportunity to vote on a U/S Submission by way of chance." But I don't see how this would beat the algorithm -- some U/S voters would still get to vote on the story, but as long as there are far more legitimate voters than U/S voters, then a random sampling will almost always contain far more legitimate voters. The U/S owner also said, "Randomized voting privileges would be unnecessarily confusing, frustrating, and fragmenting. Not to forget: unfair and undemocratic." Well, you could keep it from being "confusing" or "frustrating" by keeping the existing interface (with the possible addition of a randomly-selected-story box), so that the only changes would be in how the votes are handled under the hood. "Fragmenting"? If anything, it seems to me that the existing Digg/reddit algorithms would be more fragmenting, keeping users within their existing communities of friend who vote for each others' stories; a random-selection box would give stories with "crossover appeal" a greater chance of success, bringing them to the attention of users who might otherwise never have seen them. As for "unfair and undemocratic", presumably this is a reaction to the fact that the votes of 100 users decide what everyone else sees. But it's already the case with Digg that the votes of a small number of users decide what content becomes popular. At least with a random sample of users, it would be the case that the vast majority of the time, the voting outcome would be the same as it would have been if the entire site had voted, due to the magic of representative sampling.

So, I'm putting this suggestion out there for the same reason that Jim Messenger bought out Spike The Vote -- because I don't want sites like Digg and reddit to be manipulated by the abusers. In fact, if they used this algorithm, they would become more meritocratic than they are now, because the systems would strictly favor the highest-rated content, instead of content written by people who have informal networks of friends who can all go digg their stories for them. If I were to design the user rating system to make it cheat-proof, these are the exact details of what I would do:

• Wherever they decide to post the "random story sampling" box (on the front page, or on a link off to a separate page, etc.), have it work so that as soon as new stories are submitted, they can be rotated into that box and displayed to a random set of users, until it's reached its total of 100 votes or however many are required to get a random sample.
• You can have "shutout voting" to kill off stories early that are obvious spam or otherwise really useless, without going through the full 100 votes. (For example, if 90% of the first 10 votes are negative, then stop collecting votes.) This decreases the number of users "inconvenienced" by really obvious spam and other garbage.
• For someone to submit content that gets rotated into that voting process, have them submit a Turing test (read numbers off of a graphic and type them in), or something similar. This prevents spammers from submitting spam content over and over just to have it viewed by those initial 10 voters. If they have to type in a number each time, it's not worth it.
• When users give votes to a story, give them the option to say why they voted the way that they did. (This is especially valuable if they're giving negative votes, then the submitter would know what to improve.) Personally I think the comments would be more valuable if each user can't see other users' comments, at the time they submit their own comments; this prevents the "me too" effect where everybody echoes the first two commenters. (When I ask for independent comments from people, and they almost all say the same thing without seeing each other's comments, that's when I know they have a point!)
• To prevent an attacker from having their own username hit the random-voting page over and over in hopes of voting up their own content, make sure that each user account is only allowed to vote on a given piece of content once (even if they found the content through the random-story page).
• Require a Turing test for new user signups. This would prevent an attacker from registering a huge number of accounts just to hit the random voting page with different users over and over, in hopes getting to vote on their own submitted content eventually.

Then after running this system for a while, look through some collected data to determine if the system could be more efficient. For example, do you really need a sample of 100 votes every time? Suppose you determine that in 99% of cases, you get the same result just from tabulating the first 50 votes, as you would have gotten from tabulating all 100 votes. Then you could modify the system to collect only the first 50 votes, and then make a decision.

Suggestions for improvement? Flaws (hopefully not fatal)? Everyone who cares about keeping community sites like Digg free from abuse, and who wants to create a path for the best content to rise to the top, let's put our heads together and see what we can think of. The above is intended merely as a jumping-off point, and although I've worked it over and I can't see any specific points to improve efficiency, that's probably just because I've been looking at it too long. And if you Digg this story for me I'll give you 1,000 times as much cash as I gave my Mom last Mother's Day.

The following was written by frequent Slashdot editorial contributor Bennett Haselton. He writes "Recently author Annalee Newitz created a bit of a stir with the revelation that she had bought her way to the front page of the story-ranking site Digg. Since Digg allows any registered user to go to a story's URL and "digg it" in order to push it upward through the story-ranking system, it was inevitable that services like User/Submitter would come along, where a Digg user can pay for other users to cast votes to push their story up to the top. User/Submitter says they are currently backlogged and not taking new orders, but they say the service will return and will soon feature services for manipulating similar sites like Digg competitor reddit. Even if the new U/S features are vaporware, it probably won't be long before other companies offer similar services. But it seems like all of these story-ranking sites could prevent the manipulation by making one simple change to their voting algorithm."

Before getting to that though, what's at stake? The revelation that Digg could be trivially manipulated did not cause the site to be overrun with bogus stories all at once -- most of the links on the front page still look interesting. Newitz said that her story, which was deliberately chosen to be as lame as possible, got buried by users soon after it hit the front page, which is how Digg cleans spam stories out of the system. However, she also said that in the time that the story was on the front page, the story got about 35,000 hits, whereupon her server crashed and the traffic was thereafter divided with two other mirror sites; presumably if the server had stayed up, she would have gotten about 100,000 hits, all for an initial expenditure of $100, which is orders of magnitude cheaper than buying advertising any other way. (If she had done the same thing with a good story instead of a deliberately lame one, presumably the traffic gains resulting from word-of-mouth and repeat visitors would have been even higher.) As long as the benefits outweigh the cost, more and more unscrupulous users are likely to pay for such services, and since the service provided by User/Submitter is easy to copy, probably similar services will spring up to drive the price down even further. If nothing changes, then eventually sites like Digg and reddit will be flooded with nothing but paid stories. Most of the stories on the front page will probably still be interesting (why would you pay to promote a link, unless it was good enough to draw repeat visitors and get the most value for your money?), but everybody who didn't pay for votes would eventually get crowded out.

One Good Samaritan, Jim Messenger, managed to shut down one Digg manipulation service called Spike The Vote, by buying it out (for a paltry $1,275 - they must have wanted to get out fast) and then turning over to Digg. He warned people that the moral was: Don't sign up for Digg manipulation services, since Digg might get your information from them and then you'll be banned. Actually, I think the moral is simpler: if you're going to try anything like that, do it from a throwaway account that you don't care about losing if you get caught. (Or, only sign up with manipulation services which publish a privacy policy promising never to share your information, especially not with sites like Digg. Then if Digg buys them out, then the site has violated their privacy policy and Digg as the new owner inherits the liability for that, so you can sue them, right?) But as the idea spreads, it will probably become impractical to play whack-a-mole by shutting down manipulation services as they keep springing up. Any time the cost of providing a service (clicking on a few buttons) is small compared to the benefits of receiving the service (100,000 hits in 24 hours), a market will exist for it one way or another, whether you're talking about drug-smuggling, prostitution, or selling Digg votes.

However, I think there's a way to fix it, and here it is. Have you ever seen people put a link in their profile to their HotOrNot picture, saying "Go here and vote me a 10!!"? Similar to the people who send links to their friends and say, "I just posted this, please Digg this for me!" The difference is that on HotOrNot, it doesn't work. On HotOrNot, you can cast votes for a picture in one of two ways. The first way is to go directly to the URL for someone's picture; the second way is to load the front page, where a random picture from the database is selected at random, and vote for whatever picture comes up. The catch is that the votes that you cast by going directly to someone's picture, are simply ignored in calculating the average score for that photo. The only votes that are counted are the votes cast for random pictures displayed on the front page. So if you want to manipulate the voting for your own photo, you'd have to load the front page hundreds of thousands of times waiting for your own picture to come up repeatedly, which is hard to do without being detected.

To enable an algorithm like this on Digg and reddit, the sites could present users with a sidebar box that displays random stories from the pool of recent submissions. (reddit already has a serendipity feature that users can use to select a random story from the available pool, which could be leveraged for this purpose.) Once a story has collected, say, 100 votes -- or whatever number is considered sufficient to provide a representative random sample of how the story appeals to people -- then on that basis the story can either be buried or promoted to the top, where it would be seen by, say, 100,000 people. The elegance of this system is that bad content would only be seen by 100 people on average before it's buried, whereas good content would be seen by all the 100,000 people who view it on the front page, so the average user sees 1,000 pieces of good content for every 1 piece of crap. Even if 75% of users ignore the random story box completely, that just means you have to display it to 400 users instead of 100 before you have enough data points for a good random sample.

I suggested essentially the same algorithm for how an open-source search engine could work without being vulnerable to gaming even by those who understood all of its inner workings. The main difference, of course, is that Digg and reddit actually exist now. Digg declined to comment on the possible merits of such an algorithm; reddit's Steve Huffman said that the idea sounded interesting, although even if the idea got full buy-in, naturally any proposed change would take a long time to bring to fruition.

But it seems that an algorithm similar to this one would be the only way to prevent cheating on sites like Digg that sort content based on user votes. So it's ironic that HotOrNot, the only site I know of that is using a variation of this algorithm and hence is probably the most secure against cheating, is also the one where cheating is least likely to be a problem. Getting a high placement on Digg might enable you to make some money, but getting a highly rated picture on HotOrNot isn't going to make you rich (unless it helps you meet a millionaire who is using the site to find his third wife). Also, making HotOrNot meritocratic doesn't give people an incentive to improve the "content" that they submit, because up to the limits of what can be done with hair and wardrobe, you can't make yourself that much more attractive. With Digg and reddit, on the other hand, I might work harder at submitting a good story, if I knew that it worked in a perfectly meritocratic fashion that pushed good stories right to the top.

If you do this, you don't need any of the other countermeasures listed in Annalee Newitz's follow-up piece "Herding the Mob", such as analyzing user account history for suspicious behavior. As long as most users in the system are legitimate, most of the users in your random sample will be legitimate as well, and their voting will be representative of what most of the community would think. A story could also get a high score within a specific sub-area of the site like the sports page, but kept off of the main site front page, if the story got a high score from a random sampling of sports-oriented users but a low score from a sample of everyone else.

You could even sub-divide the topical areas further, down to a level of granularity like "Would Barack Obama make a good president?" A site called Helium is currently trying something like this -- users can submit essays on subjects like "Racial inequality or oppression: Do they truly exist in todays society?", and vote on how to rank other essays against each other. The voting works on the random selection principle that I'm advocating here -- users are presented with a pair of randomly chosen essays from a given category (not necessarily the same category for which you submitted an essay) and told to vote for the better one, so there's no way to tell all your friends to go to the link for your essay and give it a high rating. The main limitation though is that while the votes can push you to the top of a particular sub-category, that won't cause your article to "break out" and get to the front page of the site -- Helium says that those front-page articles are chosen at random by employees from the among those articles that are highly rated within their narrow category, so just being good is not enough. And if you want to write something that doesn't fit into any existing categories, you have to create a new category for your essay like I did, which will then be a category containing one essay that nobody else ever sees. Perhaps both of these limitations could be overcome by adding the option to rate randomly selected essays on a scale of 1 to 10 -- thus providing a way to rate essays that exist alone in their own category, and also a way to find the best essays across the entire site, rated against each other.

If Digg or reddit adopts a model that uses the random-voter-selection method, then there's the issue of how to handle the votes cast by users under the current system -- the ones who go to a story link and click "digg it", which is what makes the existing system vulnerable to gaming. Digg could do what HotOrNot does, and just ignore those votes outright, but users would probably view this as deceptive. Perhaps Digg could say that votes cast by self-selected users (the ones who go straight to the story link) are counted along with votes from randomly-selected users, unless the average of the self-selected votes is significantly different from the average from the randomly-selected votes, in which case the self-selected votes are ignored. Hopefully this would satisfy most users and preserve the "community" feel of the site, and only a spoilsport would point out that counting the self-selected votes only if they agree with the randomly-selected votes, is exactly the same thing as ignoring the self-selected votes entirely.

I asked the owner of User/Submitter what he thought about this. He was willing to talk with surprising candor (except about things like his real name) and spoke as if he'd like nothing better than for Digg to make changes to their service that would block his system from working. To both Annalee Newitz and me, he said, "We find it interesting that Digg still allows anybody to view any user's diggs. By way of this 'feature,' User/Submitter is able to verify that our users actually digg the stories they're given. Without this feature, Digg users are given complete digging privacy, and User/Submitter cannot exist." Some have expressed skepticism that the Digg cheaters really want Digg to fix the problem. But as a security tester, I can understand that mentality. If you report a problem, and a company doesn't fix it, eventually you get tempted to publicize the problem to draw attention to it. And if they still don't fix it, and it's a fairly benign security hole that merely enables some pranksters to get some undeserved attention, why not build a service around exploiting the hole, if will highlight the problem and encourage it to get fixed?

So I'm going to go out on a limb and say the U/S guy sincerely wants Digg to be more secure. However I disagree with him about his proposed fix, that of hiding a user's digg history. First of all, it won't stop anyone who creates a multitude of accounts all under their control -- you can use Tor to make it appear that you're coming from many different IP addresses, and build up a history of "legitimate" votes before using your votes to push sites deliberately. (Be sure to use different browsers, or vary your User-Agent header if you know how to do that, so that a series of votes from identical browser types doesn't give you away.) If your service does work by paying other users to cast votes, then you could still audit whether they're casting their votes honestly -- for example, create a test story, use 5 sockpuppet accounts to digg it 5 times, then tell your confederate to digg it. If the number of diggs doesn't go up to 6, then you know they're not honoring their end of the deal, and kick them out of the system. As long as most confederates think there might be some chance of getting caught if they don't play along, most of them would probably cast the votes that they were paid for, since it costs them nothing to do so and they wouldn't want to jeopardize their stream of easy money.

I asked the owner of User/Submitter if his service could defeat the random-sampling algorithm I described. "It would slow down our service," he answered, "but certainly wouldn't eliminate it because eventually a U/S User will have an opportunity to vote on a U/S Submission by way of chance." But I don't see how this would beat the algorithm -- some U/S voters would still get to vote on the story, but as long as there are far more legitimate voters than U/S voters, then a random sampling will almost always contain far more legitimate voters. The U/S owner also said, "Randomized voting privileges would be unnecessarily confusing, frustrating, and fragmenting. Not to forget: unfair and undemocratic." Well, you could keep it from being "confusing" or "frustrating" by keeping the existing interface (with the possible addition of a randomly-selected-story box), so that the only changes would be in how the votes are handled under the hood. "Fragmenting"? If anything, it seems to me that the existing Digg/reddit algorithms would be more fragmenting, keeping users within their existing communities of friend who vote for each others' stories; a random-selection box would give stories with "crossover appeal" a greater chance of success, bringing them to the attention of users who might otherwise never have seen them. As for "unfair and undemocratic", presumably this is a reaction to the fact that the votes of 100 users decide what everyone else sees. But it's already the case with Digg that the votes of a small number of users decide what content becomes popular. At least with a random sample of users, it would be the case that the vast majority of the time, the voting outcome would be the same as it would have been if the entire site had voted, due to the magic of representative sampling.

So, I'm putting this suggestion out there for the same reason that Jim Messenger bought out Spike The Vote -- because I don't want sites like Digg and reddit to be manipulated by the abusers. In fact, if they used this algorithm, they would become more meritocratic than they are now, because the systems would strictly favor the highest-rated content, instead of content written by people who have informal networks of friends who can all go digg their stories for them. If I were to design the user rating system to make it cheat-proof, these are the exact details of what I would do:

• Wherever they decide to post the "random story sampling" box (on the front page, or on a link off to a separate page, etc.), have it work so that as soon as new stories are submitted, they can be rotated into that box and displayed to a random set of users, until it's reached its total of 100 votes or however many are required to get a random sample.
• You can have "shutout voting" to kill off stories early that are obvious spam or otherwise really useless, without going through the full 100 votes. (For example, if 90% of the first 10 votes are negative, then stop collecting votes.) This decreases the number of users "inconvenienced" by really obvious spam and other garbage.
• For someone to submit content that gets rotated into that voting process, have them submit a Turing test (read numbers off of a graphic and type them in), or something similar. This prevents spammers from submitting spam content over and over just to have it viewed by those initial 10 voters. If they have to type in a number each time, it's not worth it.
• When users give votes to a story, give them the option to say why they voted the way that they did. (This is especially valuable if they're giving negative votes, then the submitter would know what to improve.) Personally I think the comments would be more valuable if each user can't see other users' comments, at the time they submit their own comments; this prevents the "me too" effect where everybody echoes the first two commenters. (When I ask for independent comments from people, and they almost all say the same thing without seeing each other's comments, that's when I know they have a point!)
• To prevent an attacker from having their own username hit the random-voting page over and over in hopes of voting up their own content, make sure that each user account is only allowed to vote on a given piece of content once (even if they found the content through the random-story page).
• Require a Turing test for new user signups. This would prevent an attacker from registering a huge number of accounts just to hit the random voting page with different users over and over, in hopes getting to vote on their own submitted content eventually.

Then after running this system for a while, look through some collected data to determine if the system could be more efficient. For example, do you really need a sample of 100 votes every time? Suppose you determine that in 99% of cases, you get the same result just from tabulating the first 50 votes, as you would have gotten from tabulating all 100 votes. Then you could modify the system to collect only the first 50 votes, and then make a decision.

Suggestions for improvement? Flaws (hopefully not fatal)? Everyone who cares about keeping community sites like Digg free from abuse, and who wants to create a path for the best content to rise to the top, let's put our heads together and see what we can think of. The above is intended merely as a jumping-off point, and although I've worked it over and I can't see any specific points to improve efficiency, that's probably just because I've been looking at it too long. And if you Digg this story for me I'll give you 1,000 times as much cash as I gave my Mom last Mother's Day.