Domain: slashdot.org
Stories and comments across the archive that link to slashdot.org.
Stories · 37,380
-
ATF Tests Show 3D Printed Guns Can Explode
Lucas123 writes "The ATF has been testing 3D printed guns over the past year and, not surprisingly, has found that depending on the thermoplastics, 3D printers and CAD designs used, some can explode on the first attempt to shoot them. The ATF published videos this week of the tests on YouTube showing what looked like a Liberator model of a 3D gun exploding upon being fired. Another model, created with the popular ABS polymer and an advanced printer, could fire as many as 8 shots. The tests were published at a time when a law passed in 1988 banning the sale of guns made entirely of plastic is set to expire next month." I hope they post the videos when they do the same tests on Solid Concepts' 1911. -
SourceForge Appeals To Readers For Help Nixing Bad Ad Actors
Last week, we mentioned that the GIMP project had elected to leave SourceForge as its host, citing SourceForge's advertising policies. SourceForge (which shares a parent company with Slashdot) has released a statement about those policies, addressing in particular both ads that are confusing in themselves and their revenue-sharing system called DevShare, based on the provision of third-party software along with users' downloads. Among other things, the SF team is appealing to users to help them find and block misleading ads, and has this to say about the additional downloads: "The DevShare program has been designed to be fully transparent. The installation flow has no deceptive steps, all offers are fully disclosed, and the clear option to completely decline the offer is always available. All uninstallation procedures are exhaustively documented, and all third party offers go through a comprehensive compliance process to make sure they are virus and malware free." -
P2P Data Not Private, But It Could Be
Frequent correspondent Bennett Haselton writes with a forward-looking response to a recent ruling that peer-to-peer network participants have little privacy interest in files stored on their computer and that they have made available via P2P. Writes Bennett: "A court rules that law enforcement did not improperly 'search' defendants' computers by downloading files that the computers were sharing via P2P software. This seems like a reasonable ruling, but such cases may become rare if P2P software evolves to the point where all downloads are routed anonymously through other users' computers." Read on for the rest.The police had used an automated P2P search tool to find evidence that child pornography was being shared from the defendants' computers, and then used that evidence to obtain probable cause warrants for searching their computers (where they subsequently found child porn being stored, and the defendants were charged accordingly). Last Friday, District Court Judge Christina Reiss ruled that the P2P search tool did not violate the defendants' 4th Amendment rights against unreasonable search, as they had argued.
I'm all for strong privacy rights and the right to exclude evidence at trial that was gathered improperly, but it's hard to see how the defendants thought they had a leg to stand on here. When you share a file on a P2P network where other users can download directly from your computer, by definition you are advertising that you have that file. Now, some of the time you might be sharing that file not out of the goodness of your heart, but because you're required to share the file in order to earn "credits" that you can use to continue your own downloads (BitTorrent requires sharing for this reason). But even then, you would still know that you were sharing the file (unless you really never realized how file sharing software works, but since it's actually called "file sharing software", that's kind of on you).
However, as I wrote in January, there's no reason why popular P2P programs couldn't re-route each download through a different user's connection, so that if you were downloading a file from another computer's IP address, you would never know if the file resided on that computer's hard drive. Obviously I'm not endorsing the use of such software by creeps like the ones who were arrested; I'm saying that regardless of how we feel about it, it's inevitable that proxified re-routed connections will become the de facto standard for P2P file sharing, if the following conditions remain true:
-
It remains legal to run the software at all. This seems like a reasonable assumption in a mostly-free country like the U.S., where although piracy is illegal, file-sharing programs like BitTorrent are still legal even if they are frequently used for piracy.
-
A user cannot be held liable for unknowingly forwarding data packets on behalf of someone else, even if the data packets comprise an illegal file (whether it's child pornography or a pirated movie).
-
Bandwidth continues to get faster and cheaper. Today, if you download a 100-megabyte file by routing your download through three other users' computers, it will usually be much slower and more inconvenient than if you'd downloaded the file directly. In a few years, you won't notice the difference.
-
If the police raid a suspect's house and seize their computer, if they see that the computer has an encrypted partition, the suspect can invoke their Fifth Amendment right to refuse to give the police the decryption password. You know how I feel about that, but the latest rulings on the question seem to affirm that you can refuse to decrypt your hard drive for law enforcement. So a good P2P client for "illicit" file trading would come with built-in support for an encrypted hard drive partition, where all saved files would be stored. (The software would probably come with a "kill switch" that you could use to instantly dismount your encrypted partition if you heard a knock on your door, and a five-minute inactivity timeout after which the drive would dismount automatically.)
In that previous article, I described a protocol in which any time a P2P user X (the "downloader") downloaded a file from another P2P user Y (the "sharer"), the connection would be routed through the computer of at least one "go-between" user Z (and possibly a chain of users Z1, Z2,... Zn). Each of the go-betweens simply downloads bytes from the next computer "up" the chain and sends those bytes on to the next computer "down" the chain, and none of the go-betweens know how far the chain extends in either direction. Because of the design of the protocol, from the point of view of any of the go-betweens, there is only a 40% chance that the computer they're downloading from, is the original "sharer." (See the January article for details on how this would be achieved.)
Now, does the analysis change if your adversary is the FBI looking for child pornographers, rather than the MPAA looking for movie pirates? Here are the variables that I think matter:
-
The standard of proof to punish you is higher. In a civil lawsuit, the MPAA would only have to prove their case against you by a "preponderance of the evidence" (i.e. greater than 50%); to obtain a criminal conviction, the court would have to prove your guilt "beyond a reasonable doubt." However in both cases, if all that the court knows is that the defendant's computer was identified as passing along bits and bytes of an illegal file, and the court understands that there's only a 40% chance that the computer owner actually possessed the illegal file, then this falls below the standard of proof in both cases. (Of course, this is contingent on no other evidence turning up to implicate you. If the police raid your house and find child pornography printouts lying around your desk, then so much for the "40% chance of guilt" figure.)
-
In a civil trial, the defendant can be called to the stand and made to answer questions (unlike a criminal trial, where the defendant can refuse to testify under the Fifth Amendment). So even if the MPAA's lawyer knew there was only a 40% chance that they had sued the right defendant, they could ask the defendant under oath, "Did you download this movie?" (Or they could sue 10 defendants at once, and argue, correctly, that on average about 4 of those defendants were probably guilty.) The defendant could invoke their Fifth Amendment rights and refuse to answer, however, in a civil trial, the court is free to consider this refusal to be evidence weighing in favor of the defendant's guilt. In theory, a defendant could simply say "No," and there would be no way to prove they were lying. In practice, the MPAA's lawyer might try to intimidate a defendant into confessing, telling them that the worst that can happen to them if they confess is just a monetary judgment, but if they lie under oath they could go to jail, etc.
-
The punishment for getting caught for possession of child pornography is much more severe. I'm not sure if this changes the analysis though. It's not a case of "a 40% chance of losing a lawsuit vs. a 40% chance of going to jail." If the court in both cases can never establish your guilt with a probability of more than 40%, then since that's not enough to get a criminal conviction or a civil judgment, you actually have a 0% chance of losing in either case, provided you don't make any other errors (leaving illegal printouts by your computer), and provided the court actually understands that the "evidence" only establishes about a 40% chance of your guilt.
-
The cost of being accused of possessing child pornography is much higher, even if you ultimately win in court. If the MPAA sues you for downloading a pirated movie (even if they know there's only a 40% chance they've got the right person), that would probably just increase your street cred among your friends. If you're a middle-aged computer nerd accused of downloading child pornography, not so much. Even if you're ultimately acquitted, your reputation will probably be ruined.
This last point suggests the only "attack" that I can think of that law enforcement could use successfully against this protocol. The police know in advance that if they arrest someone for transmitting an illegal file from their IP address, and if the defendant refuses to testify and the defendant's hard drive is encrypted, the state won't be able to get a conviction since there's only a 40% chance that the defendant was actually in possession of the file. However, if the defendant's life will be ruined by going to trial anyway, law enforcement could use this as a bludgeon to scare people away from even running the P2P protocol. Saying, in essence, "We're going to go out and do searches for illegal files to download, and we will file charges against any person whose IP address re-transmits an illegal file to us. Even though we know we won't be able to get a conviction, we'll ruin the lives of anyone we can identify in this way, so that's the risk that you're taking by installing this software, even if you yourself don't do anything illegal."
Whether this attack would be effective, depends on whether the courts would tolerate these kinds of "intimidation" prosecutions, where the law enforcement knows going in that they can never establish more than a 40% chance of the defendant's guilt (and hence no chance of conviction unless the defendant "cracks"), but they press charges anyway. I would call that an abuse of state power, and say that any prosecutor who knowingly pursues a losing case should be fired and compensation should be paid to the victim, but the courts might not see it that way, especially if the prosecutor finds a way to work the phrase "child porn" into every sentence.
-
-
P2P Data Not Private, But It Could Be
Frequent correspondent Bennett Haselton writes with a forward-looking response to a recent ruling that peer-to-peer network participants have little privacy interest in files stored on their computer and that they have made available via P2P. Writes Bennett: "A court rules that law enforcement did not improperly 'search' defendants' computers by downloading files that the computers were sharing via P2P software. This seems like a reasonable ruling, but such cases may become rare if P2P software evolves to the point where all downloads are routed anonymously through other users' computers." Read on for the rest.The police had used an automated P2P search tool to find evidence that child pornography was being shared from the defendants' computers, and then used that evidence to obtain probable cause warrants for searching their computers (where they subsequently found child porn being stored, and the defendants were charged accordingly). Last Friday, District Court Judge Christina Reiss ruled that the P2P search tool did not violate the defendants' 4th Amendment rights against unreasonable search, as they had argued.
I'm all for strong privacy rights and the right to exclude evidence at trial that was gathered improperly, but it's hard to see how the defendants thought they had a leg to stand on here. When you share a file on a P2P network where other users can download directly from your computer, by definition you are advertising that you have that file. Now, some of the time you might be sharing that file not out of the goodness of your heart, but because you're required to share the file in order to earn "credits" that you can use to continue your own downloads (BitTorrent requires sharing for this reason). But even then, you would still know that you were sharing the file (unless you really never realized how file sharing software works, but since it's actually called "file sharing software", that's kind of on you).
However, as I wrote in January, there's no reason why popular P2P programs couldn't re-route each download through a different user's connection, so that if you were downloading a file from another computer's IP address, you would never know if the file resided on that computer's hard drive. Obviously I'm not endorsing the use of such software by creeps like the ones who were arrested; I'm saying that regardless of how we feel about it, it's inevitable that proxified re-routed connections will become the de facto standard for P2P file sharing, if the following conditions remain true:
-
It remains legal to run the software at all. This seems like a reasonable assumption in a mostly-free country like the U.S., where although piracy is illegal, file-sharing programs like BitTorrent are still legal even if they are frequently used for piracy.
-
A user cannot be held liable for unknowingly forwarding data packets on behalf of someone else, even if the data packets comprise an illegal file (whether it's child pornography or a pirated movie).
-
Bandwidth continues to get faster and cheaper. Today, if you download a 100-megabyte file by routing your download through three other users' computers, it will usually be much slower and more inconvenient than if you'd downloaded the file directly. In a few years, you won't notice the difference.
-
If the police raid a suspect's house and seize their computer, if they see that the computer has an encrypted partition, the suspect can invoke their Fifth Amendment right to refuse to give the police the decryption password. You know how I feel about that, but the latest rulings on the question seem to affirm that you can refuse to decrypt your hard drive for law enforcement. So a good P2P client for "illicit" file trading would come with built-in support for an encrypted hard drive partition, where all saved files would be stored. (The software would probably come with a "kill switch" that you could use to instantly dismount your encrypted partition if you heard a knock on your door, and a five-minute inactivity timeout after which the drive would dismount automatically.)
In that previous article, I described a protocol in which any time a P2P user X (the "downloader") downloaded a file from another P2P user Y (the "sharer"), the connection would be routed through the computer of at least one "go-between" user Z (and possibly a chain of users Z1, Z2,... Zn). Each of the go-betweens simply downloads bytes from the next computer "up" the chain and sends those bytes on to the next computer "down" the chain, and none of the go-betweens know how far the chain extends in either direction. Because of the design of the protocol, from the point of view of any of the go-betweens, there is only a 40% chance that the computer they're downloading from, is the original "sharer." (See the January article for details on how this would be achieved.)
Now, does the analysis change if your adversary is the FBI looking for child pornographers, rather than the MPAA looking for movie pirates? Here are the variables that I think matter:
-
The standard of proof to punish you is higher. In a civil lawsuit, the MPAA would only have to prove their case against you by a "preponderance of the evidence" (i.e. greater than 50%); to obtain a criminal conviction, the court would have to prove your guilt "beyond a reasonable doubt." However in both cases, if all that the court knows is that the defendant's computer was identified as passing along bits and bytes of an illegal file, and the court understands that there's only a 40% chance that the computer owner actually possessed the illegal file, then this falls below the standard of proof in both cases. (Of course, this is contingent on no other evidence turning up to implicate you. If the police raid your house and find child pornography printouts lying around your desk, then so much for the "40% chance of guilt" figure.)
-
In a civil trial, the defendant can be called to the stand and made to answer questions (unlike a criminal trial, where the defendant can refuse to testify under the Fifth Amendment). So even if the MPAA's lawyer knew there was only a 40% chance that they had sued the right defendant, they could ask the defendant under oath, "Did you download this movie?" (Or they could sue 10 defendants at once, and argue, correctly, that on average about 4 of those defendants were probably guilty.) The defendant could invoke their Fifth Amendment rights and refuse to answer, however, in a civil trial, the court is free to consider this refusal to be evidence weighing in favor of the defendant's guilt. In theory, a defendant could simply say "No," and there would be no way to prove they were lying. In practice, the MPAA's lawyer might try to intimidate a defendant into confessing, telling them that the worst that can happen to them if they confess is just a monetary judgment, but if they lie under oath they could go to jail, etc.
-
The punishment for getting caught for possession of child pornography is much more severe. I'm not sure if this changes the analysis though. It's not a case of "a 40% chance of losing a lawsuit vs. a 40% chance of going to jail." If the court in both cases can never establish your guilt with a probability of more than 40%, then since that's not enough to get a criminal conviction or a civil judgment, you actually have a 0% chance of losing in either case, provided you don't make any other errors (leaving illegal printouts by your computer), and provided the court actually understands that the "evidence" only establishes about a 40% chance of your guilt.
-
The cost of being accused of possessing child pornography is much higher, even if you ultimately win in court. If the MPAA sues you for downloading a pirated movie (even if they know there's only a 40% chance they've got the right person), that would probably just increase your street cred among your friends. If you're a middle-aged computer nerd accused of downloading child pornography, not so much. Even if you're ultimately acquitted, your reputation will probably be ruined.
This last point suggests the only "attack" that I can think of that law enforcement could use successfully against this protocol. The police know in advance that if they arrest someone for transmitting an illegal file from their IP address, and if the defendant refuses to testify and the defendant's hard drive is encrypted, the state won't be able to get a conviction since there's only a 40% chance that the defendant was actually in possession of the file. However, if the defendant's life will be ruined by going to trial anyway, law enforcement could use this as a bludgeon to scare people away from even running the P2P protocol. Saying, in essence, "We're going to go out and do searches for illegal files to download, and we will file charges against any person whose IP address re-transmits an illegal file to us. Even though we know we won't be able to get a conviction, we'll ruin the lives of anyone we can identify in this way, so that's the risk that you're taking by installing this software, even if you yourself don't do anything illegal."
Whether this attack would be effective, depends on whether the courts would tolerate these kinds of "intimidation" prosecutions, where the law enforcement knows going in that they can never establish more than a 40% chance of the defendant's guilt (and hence no chance of conviction unless the defendant "cracks"), but they press charges anyway. I would call that an abuse of state power, and say that any prosecutor who knowingly pursues a losing case should be fired and compensation should be paid to the victim, but the courts might not see it that way, especially if the prosecutor finds a way to work the phrase "child porn" into every sentence.
-
-
P2P Data Not Private, But It Could Be
Frequent correspondent Bennett Haselton writes with a forward-looking response to a recent ruling that peer-to-peer network participants have little privacy interest in files stored on their computer and that they have made available via P2P. Writes Bennett: "A court rules that law enforcement did not improperly 'search' defendants' computers by downloading files that the computers were sharing via P2P software. This seems like a reasonable ruling, but such cases may become rare if P2P software evolves to the point where all downloads are routed anonymously through other users' computers." Read on for the rest.The police had used an automated P2P search tool to find evidence that child pornography was being shared from the defendants' computers, and then used that evidence to obtain probable cause warrants for searching their computers (where they subsequently found child porn being stored, and the defendants were charged accordingly). Last Friday, District Court Judge Christina Reiss ruled that the P2P search tool did not violate the defendants' 4th Amendment rights against unreasonable search, as they had argued.
I'm all for strong privacy rights and the right to exclude evidence at trial that was gathered improperly, but it's hard to see how the defendants thought they had a leg to stand on here. When you share a file on a P2P network where other users can download directly from your computer, by definition you are advertising that you have that file. Now, some of the time you might be sharing that file not out of the goodness of your heart, but because you're required to share the file in order to earn "credits" that you can use to continue your own downloads (BitTorrent requires sharing for this reason). But even then, you would still know that you were sharing the file (unless you really never realized how file sharing software works, but since it's actually called "file sharing software", that's kind of on you).
However, as I wrote in January, there's no reason why popular P2P programs couldn't re-route each download through a different user's connection, so that if you were downloading a file from another computer's IP address, you would never know if the file resided on that computer's hard drive. Obviously I'm not endorsing the use of such software by creeps like the ones who were arrested; I'm saying that regardless of how we feel about it, it's inevitable that proxified re-routed connections will become the de facto standard for P2P file sharing, if the following conditions remain true:
-
It remains legal to run the software at all. This seems like a reasonable assumption in a mostly-free country like the U.S., where although piracy is illegal, file-sharing programs like BitTorrent are still legal even if they are frequently used for piracy.
-
A user cannot be held liable for unknowingly forwarding data packets on behalf of someone else, even if the data packets comprise an illegal file (whether it's child pornography or a pirated movie).
-
Bandwidth continues to get faster and cheaper. Today, if you download a 100-megabyte file by routing your download through three other users' computers, it will usually be much slower and more inconvenient than if you'd downloaded the file directly. In a few years, you won't notice the difference.
-
If the police raid a suspect's house and seize their computer, if they see that the computer has an encrypted partition, the suspect can invoke their Fifth Amendment right to refuse to give the police the decryption password. You know how I feel about that, but the latest rulings on the question seem to affirm that you can refuse to decrypt your hard drive for law enforcement. So a good P2P client for "illicit" file trading would come with built-in support for an encrypted hard drive partition, where all saved files would be stored. (The software would probably come with a "kill switch" that you could use to instantly dismount your encrypted partition if you heard a knock on your door, and a five-minute inactivity timeout after which the drive would dismount automatically.)
In that previous article, I described a protocol in which any time a P2P user X (the "downloader") downloaded a file from another P2P user Y (the "sharer"), the connection would be routed through the computer of at least one "go-between" user Z (and possibly a chain of users Z1, Z2,... Zn). Each of the go-betweens simply downloads bytes from the next computer "up" the chain and sends those bytes on to the next computer "down" the chain, and none of the go-betweens know how far the chain extends in either direction. Because of the design of the protocol, from the point of view of any of the go-betweens, there is only a 40% chance that the computer they're downloading from, is the original "sharer." (See the January article for details on how this would be achieved.)
Now, does the analysis change if your adversary is the FBI looking for child pornographers, rather than the MPAA looking for movie pirates? Here are the variables that I think matter:
-
The standard of proof to punish you is higher. In a civil lawsuit, the MPAA would only have to prove their case against you by a "preponderance of the evidence" (i.e. greater than 50%); to obtain a criminal conviction, the court would have to prove your guilt "beyond a reasonable doubt." However in both cases, if all that the court knows is that the defendant's computer was identified as passing along bits and bytes of an illegal file, and the court understands that there's only a 40% chance that the computer owner actually possessed the illegal file, then this falls below the standard of proof in both cases. (Of course, this is contingent on no other evidence turning up to implicate you. If the police raid your house and find child pornography printouts lying around your desk, then so much for the "40% chance of guilt" figure.)
-
In a civil trial, the defendant can be called to the stand and made to answer questions (unlike a criminal trial, where the defendant can refuse to testify under the Fifth Amendment). So even if the MPAA's lawyer knew there was only a 40% chance that they had sued the right defendant, they could ask the defendant under oath, "Did you download this movie?" (Or they could sue 10 defendants at once, and argue, correctly, that on average about 4 of those defendants were probably guilty.) The defendant could invoke their Fifth Amendment rights and refuse to answer, however, in a civil trial, the court is free to consider this refusal to be evidence weighing in favor of the defendant's guilt. In theory, a defendant could simply say "No," and there would be no way to prove they were lying. In practice, the MPAA's lawyer might try to intimidate a defendant into confessing, telling them that the worst that can happen to them if they confess is just a monetary judgment, but if they lie under oath they could go to jail, etc.
-
The punishment for getting caught for possession of child pornography is much more severe. I'm not sure if this changes the analysis though. It's not a case of "a 40% chance of losing a lawsuit vs. a 40% chance of going to jail." If the court in both cases can never establish your guilt with a probability of more than 40%, then since that's not enough to get a criminal conviction or a civil judgment, you actually have a 0% chance of losing in either case, provided you don't make any other errors (leaving illegal printouts by your computer), and provided the court actually understands that the "evidence" only establishes about a 40% chance of your guilt.
-
The cost of being accused of possessing child pornography is much higher, even if you ultimately win in court. If the MPAA sues you for downloading a pirated movie (even if they know there's only a 40% chance they've got the right person), that would probably just increase your street cred among your friends. If you're a middle-aged computer nerd accused of downloading child pornography, not so much. Even if you're ultimately acquitted, your reputation will probably be ruined.
This last point suggests the only "attack" that I can think of that law enforcement could use successfully against this protocol. The police know in advance that if they arrest someone for transmitting an illegal file from their IP address, and if the defendant refuses to testify and the defendant's hard drive is encrypted, the state won't be able to get a conviction since there's only a 40% chance that the defendant was actually in possession of the file. However, if the defendant's life will be ruined by going to trial anyway, law enforcement could use this as a bludgeon to scare people away from even running the P2P protocol. Saying, in essence, "We're going to go out and do searches for illegal files to download, and we will file charges against any person whose IP address re-transmits an illegal file to us. Even though we know we won't be able to get a conviction, we'll ruin the lives of anyone we can identify in this way, so that's the risk that you're taking by installing this software, even if you yourself don't do anything illegal."
Whether this attack would be effective, depends on whether the courts would tolerate these kinds of "intimidation" prosecutions, where the law enforcement knows going in that they can never establish more than a 40% chance of the defendant's guilt (and hence no chance of conviction unless the defendant "cracks"), but they press charges anyway. I would call that an abuse of state power, and say that any prosecutor who knowingly pursues a losing case should be fired and compensation should be paid to the victim, but the courts might not see it that way, especially if the prosecutor finds a way to work the phrase "child porn" into every sentence.
-
-
P2P Data Not Private, But It Could Be
Frequent correspondent Bennett Haselton writes with a forward-looking response to a recent ruling that peer-to-peer network participants have little privacy interest in files stored on their computer and that they have made available via P2P. Writes Bennett: "A court rules that law enforcement did not improperly 'search' defendants' computers by downloading files that the computers were sharing via P2P software. This seems like a reasonable ruling, but such cases may become rare if P2P software evolves to the point where all downloads are routed anonymously through other users' computers." Read on for the rest.The police had used an automated P2P search tool to find evidence that child pornography was being shared from the defendants' computers, and then used that evidence to obtain probable cause warrants for searching their computers (where they subsequently found child porn being stored, and the defendants were charged accordingly). Last Friday, District Court Judge Christina Reiss ruled that the P2P search tool did not violate the defendants' 4th Amendment rights against unreasonable search, as they had argued.
I'm all for strong privacy rights and the right to exclude evidence at trial that was gathered improperly, but it's hard to see how the defendants thought they had a leg to stand on here. When you share a file on a P2P network where other users can download directly from your computer, by definition you are advertising that you have that file. Now, some of the time you might be sharing that file not out of the goodness of your heart, but because you're required to share the file in order to earn "credits" that you can use to continue your own downloads (BitTorrent requires sharing for this reason). But even then, you would still know that you were sharing the file (unless you really never realized how file sharing software works, but since it's actually called "file sharing software", that's kind of on you).
However, as I wrote in January, there's no reason why popular P2P programs couldn't re-route each download through a different user's connection, so that if you were downloading a file from another computer's IP address, you would never know if the file resided on that computer's hard drive. Obviously I'm not endorsing the use of such software by creeps like the ones who were arrested; I'm saying that regardless of how we feel about it, it's inevitable that proxified re-routed connections will become the de facto standard for P2P file sharing, if the following conditions remain true:
-
It remains legal to run the software at all. This seems like a reasonable assumption in a mostly-free country like the U.S., where although piracy is illegal, file-sharing programs like BitTorrent are still legal even if they are frequently used for piracy.
-
A user cannot be held liable for unknowingly forwarding data packets on behalf of someone else, even if the data packets comprise an illegal file (whether it's child pornography or a pirated movie).
-
Bandwidth continues to get faster and cheaper. Today, if you download a 100-megabyte file by routing your download through three other users' computers, it will usually be much slower and more inconvenient than if you'd downloaded the file directly. In a few years, you won't notice the difference.
-
If the police raid a suspect's house and seize their computer, if they see that the computer has an encrypted partition, the suspect can invoke their Fifth Amendment right to refuse to give the police the decryption password. You know how I feel about that, but the latest rulings on the question seem to affirm that you can refuse to decrypt your hard drive for law enforcement. So a good P2P client for "illicit" file trading would come with built-in support for an encrypted hard drive partition, where all saved files would be stored. (The software would probably come with a "kill switch" that you could use to instantly dismount your encrypted partition if you heard a knock on your door, and a five-minute inactivity timeout after which the drive would dismount automatically.)
In that previous article, I described a protocol in which any time a P2P user X (the "downloader") downloaded a file from another P2P user Y (the "sharer"), the connection would be routed through the computer of at least one "go-between" user Z (and possibly a chain of users Z1, Z2,... Zn). Each of the go-betweens simply downloads bytes from the next computer "up" the chain and sends those bytes on to the next computer "down" the chain, and none of the go-betweens know how far the chain extends in either direction. Because of the design of the protocol, from the point of view of any of the go-betweens, there is only a 40% chance that the computer they're downloading from, is the original "sharer." (See the January article for details on how this would be achieved.)
Now, does the analysis change if your adversary is the FBI looking for child pornographers, rather than the MPAA looking for movie pirates? Here are the variables that I think matter:
-
The standard of proof to punish you is higher. In a civil lawsuit, the MPAA would only have to prove their case against you by a "preponderance of the evidence" (i.e. greater than 50%); to obtain a criminal conviction, the court would have to prove your guilt "beyond a reasonable doubt." However in both cases, if all that the court knows is that the defendant's computer was identified as passing along bits and bytes of an illegal file, and the court understands that there's only a 40% chance that the computer owner actually possessed the illegal file, then this falls below the standard of proof in both cases. (Of course, this is contingent on no other evidence turning up to implicate you. If the police raid your house and find child pornography printouts lying around your desk, then so much for the "40% chance of guilt" figure.)
-
In a civil trial, the defendant can be called to the stand and made to answer questions (unlike a criminal trial, where the defendant can refuse to testify under the Fifth Amendment). So even if the MPAA's lawyer knew there was only a 40% chance that they had sued the right defendant, they could ask the defendant under oath, "Did you download this movie?" (Or they could sue 10 defendants at once, and argue, correctly, that on average about 4 of those defendants were probably guilty.) The defendant could invoke their Fifth Amendment rights and refuse to answer, however, in a civil trial, the court is free to consider this refusal to be evidence weighing in favor of the defendant's guilt. In theory, a defendant could simply say "No," and there would be no way to prove they were lying. In practice, the MPAA's lawyer might try to intimidate a defendant into confessing, telling them that the worst that can happen to them if they confess is just a monetary judgment, but if they lie under oath they could go to jail, etc.
-
The punishment for getting caught for possession of child pornography is much more severe. I'm not sure if this changes the analysis though. It's not a case of "a 40% chance of losing a lawsuit vs. a 40% chance of going to jail." If the court in both cases can never establish your guilt with a probability of more than 40%, then since that's not enough to get a criminal conviction or a civil judgment, you actually have a 0% chance of losing in either case, provided you don't make any other errors (leaving illegal printouts by your computer), and provided the court actually understands that the "evidence" only establishes about a 40% chance of your guilt.
-
The cost of being accused of possessing child pornography is much higher, even if you ultimately win in court. If the MPAA sues you for downloading a pirated movie (even if they know there's only a 40% chance they've got the right person), that would probably just increase your street cred among your friends. If you're a middle-aged computer nerd accused of downloading child pornography, not so much. Even if you're ultimately acquitted, your reputation will probably be ruined.
This last point suggests the only "attack" that I can think of that law enforcement could use successfully against this protocol. The police know in advance that if they arrest someone for transmitting an illegal file from their IP address, and if the defendant refuses to testify and the defendant's hard drive is encrypted, the state won't be able to get a conviction since there's only a 40% chance that the defendant was actually in possession of the file. However, if the defendant's life will be ruined by going to trial anyway, law enforcement could use this as a bludgeon to scare people away from even running the P2P protocol. Saying, in essence, "We're going to go out and do searches for illegal files to download, and we will file charges against any person whose IP address re-transmits an illegal file to us. Even though we know we won't be able to get a conviction, we'll ruin the lives of anyone we can identify in this way, so that's the risk that you're taking by installing this software, even if you yourself don't do anything illegal."
Whether this attack would be effective, depends on whether the courts would tolerate these kinds of "intimidation" prosecutions, where the law enforcement knows going in that they can never establish more than a 40% chance of the defendant's guilt (and hence no chance of conviction unless the defendant "cracks"), but they press charges anyway. I would call that an abuse of state power, and say that any prosecutor who knowingly pursues a losing case should be fired and compensation should be paid to the victim, but the courts might not see it that way, especially if the prosecutor finds a way to work the phrase "child porn" into every sentence.
-
-
Alfred Poor Says HDTV Manufacturers are Hurting (Video)
The last time we talked with Dr. Poor (who is now a Senior Editor at aNewDomain.net), we ran out of time and didn't get around to discussing 3-D and ultra-high-def TV and whether they're worth buying. So here he is again on the Slashdot TV screen (which is *not* high-definition), talking about the TV marketplace. This is a perfect time for that discussion, since Dark Friday is only a few weeks away, and after that we move into the month during which TVs and a lot of other items sell at a lot higher rate than they do during the rest of the year. If you're thinking about buying a new TV for yourself or as a gift this holiday season, you might want to listen to what Dr. Poor has to say on the subject before you do. -
DRM To Be Used In Renault Electric Cars
mahiskali writes with this interesting news via the EFF's Deep Links "The new Renault Zoe comes with a 'feature' that absolutely nobody wants. Instead of selling consumers a complete car that they can use, repair, and upgrade as they see fit, Renault has opted to lock purchasers into a rental contract with a battery manufacturer and enforce that contract with digital rights management (DRM) restrictions that can remotely prevent the battery from charging at all. This coming on the heels of the recent Trans-Pacific Partnership IP Rights Chapter leak certainly makes you wonder how much of that device (car?) you really own. Perhaps Merriam-Webster can simply change the definition of ownership." -
EU To Allow 3G and 4G Connections On Planes
jfruh writes "In America we're celebrating the fact that we don't have to stow our Kindles during takeoff and landing anymore, but the EU is going a step further and not requiring passengers to switch their phones to "airplane" mode anymore. If you're on an airplane with a Network Control Unit that regulate cellular connections, you can text and make calls over standard 3G and 4G networks. You'll want to watch out for roaming charges, though, especially if you're on a flight crossing national borders." -
New Approach To Immersion Cooling Powers HPC In a High Rise
miller60 writes "How do you cool a high-density server installation inside a high rise in Hong Kong? You dunk the servers, immersing them in fluid to create an extremely efficient HPC environment in a hot, humid location. Hong Kong's Allied Control developed its immersion cooling solution using a technique called open bath immersion (OBI), which uses 3M's Novec fluid. OBI is an example of passive two-phase cooling, which uses a boiling liquid to remove heat from a surface and then condenses the liquid for reuse, all without a pump. It's a slightly different approach to immersion cooling than the Green Revolution technique being tested by Intel and deployed at scale by energy companies. Other players in immersion cooling include Iceotope and Hardcore (now LiquidCool)." -
New Approach To Immersion Cooling Powers HPC In a High Rise
miller60 writes "How do you cool a high-density server installation inside a high rise in Hong Kong? You dunk the servers, immersing them in fluid to create an extremely efficient HPC environment in a hot, humid location. Hong Kong's Allied Control developed its immersion cooling solution using a technique called open bath immersion (OBI), which uses 3M's Novec fluid. OBI is an example of passive two-phase cooling, which uses a boiling liquid to remove heat from a surface and then condenses the liquid for reuse, all without a pump. It's a slightly different approach to immersion cooling than the Green Revolution technique being tested by Intel and deployed at scale by energy companies. Other players in immersion cooling include Iceotope and Hardcore (now LiquidCool)." -
New Approach To Immersion Cooling Powers HPC In a High Rise
miller60 writes "How do you cool a high-density server installation inside a high rise in Hong Kong? You dunk the servers, immersing them in fluid to create an extremely efficient HPC environment in a hot, humid location. Hong Kong's Allied Control developed its immersion cooling solution using a technique called open bath immersion (OBI), which uses 3M's Novec fluid. OBI is an example of passive two-phase cooling, which uses a boiling liquid to remove heat from a surface and then condenses the liquid for reuse, all without a pump. It's a slightly different approach to immersion cooling than the Green Revolution technique being tested by Intel and deployed at scale by energy companies. Other players in immersion cooling include Iceotope and Hardcore (now LiquidCool)." -
Could Slashdot (Or Other Private Entity) Sue a Spy Agency Like GCHQ Or NSA?
Nerval's Lobster writes "When the GCHQ agency (Britain's equivalent of the National Security Agency) reportedly decided to infiltrate the IT network of Belgian telecommunications firm Belgacom, it relied on a sophisticated version of a man-in-the-middle attack, in which it directed its targets' computers to fake, malware-riddled versions of Slashdot and LinkedIn. If the attack could be proven without a doubt, would the GCHQ—or any similar spy agency engaging in the same sort of behavior—be liable for violating trademarks or copyrights, since a key part of its attack would necessitate the appropriation of intellectual property such as logos and content? We asked someone from the Electronic Frontier Foundation about that, and received a somewhat dispiriting answer. "From a trademark perspective, if a company uses another company's marks/logos to deceive, there may be a trademark claim," said Corynne McSherry, the EFF's Intellectual Property Director. "But it's complicated a bit by two problems: (1) the fact that while there may be confusion, it's not necessarily related to the actual purchase of any goods and services; and (2) multiple TM laws are in play here—for example UK trademark law may have different exceptions and limitations." McSherry also addressed other issues, including governments' doctrine of sovereign immunity." -
Could Slashdot (Or Other Private Entity) Sue a Spy Agency Like GCHQ Or NSA?
Nerval's Lobster writes "When the GCHQ agency (Britain's equivalent of the National Security Agency) reportedly decided to infiltrate the IT network of Belgian telecommunications firm Belgacom, it relied on a sophisticated version of a man-in-the-middle attack, in which it directed its targets' computers to fake, malware-riddled versions of Slashdot and LinkedIn. If the attack could be proven without a doubt, would the GCHQ—or any similar spy agency engaging in the same sort of behavior—be liable for violating trademarks or copyrights, since a key part of its attack would necessitate the appropriation of intellectual property such as logos and content? We asked someone from the Electronic Frontier Foundation about that, and received a somewhat dispiriting answer. "From a trademark perspective, if a company uses another company's marks/logos to deceive, there may be a trademark claim," said Corynne McSherry, the EFF's Intellectual Property Director. "But it's complicated a bit by two problems: (1) the fact that while there may be confusion, it's not necessarily related to the actual purchase of any goods and services; and (2) multiple TM laws are in play here—for example UK trademark law may have different exceptions and limitations." McSherry also addressed other issues, including governments' doctrine of sovereign immunity." -
EFF Says Mark Shuttleworth Is Wrong About Trademark
sfcrazy writes "Last week Canonical sent a cease and desist letter to EFF staffer Micah F Lee asking him to remove the word Ubuntu from the URL as well as the Ubuntu logo from the site. Lee responded through an attorney who said that Canonical's 'request were not supported by trademark laws and interferes with protected speech.' Shuttleworth apologized, though it was cheeky, and while he dubbed the Mir opponents as non-technical (hello KDE, systemD, Wayland, Intel) he also went on to explain why they needed to protect their trademark. Now there is an official response from EFF. In the blog post EFF has explained that Shuttleworth is far from reality and was totally wrong about trademark." -
EFF Says Mark Shuttleworth Is Wrong About Trademark
sfcrazy writes "Last week Canonical sent a cease and desist letter to EFF staffer Micah F Lee asking him to remove the word Ubuntu from the URL as well as the Ubuntu logo from the site. Lee responded through an attorney who said that Canonical's 'request were not supported by trademark laws and interferes with protected speech.' Shuttleworth apologized, though it was cheeky, and while he dubbed the Mir opponents as non-technical (hello KDE, systemD, Wayland, Intel) he also went on to explain why they needed to protect their trademark. Now there is an official response from EFF. In the blog post EFF has explained that Shuttleworth is far from reality and was totally wrong about trademark." -
Building an 'Invisibility Cloak' With Electromagnetic Fields
Nerval's Lobster writes "University of Toronto researchers have demonstrated an invisibility cloak that hides objects within an electromagnetic field, rather than swaddling it in meta-materials as other approaches require. Instead of covering an object completely in an opaque cloak that then mimics the appearance of empty air, the technique developed by university engineering Prof. George Eleftheriades and Ph.D. candidate Michael Selvanayagam makes objects invisible using the ability of electromagnetic fields to redirect or scatter waves of energy. The approach is similar to that of 'stealth' aircraft whose skin is made of material that absorbs the energy from radar systems and deflects the rest away from the radar detectors that sent them. Rather than scattering radio waves passively due to the shape of its exterior, however, the Toronto pair's 'cloak' deflects energy using an electromagnetic field projected by antennas that surround the object being hidden. Most of the proposals in a long list of 'invisibility cloaks' announced during the past few years actually conceal objects by covering them with an opaque blanket, which becomes 'invisible' by displaying an image of what the space it occupies would look like if neither the cloak nor the object it concealed were present. An invisibility cloak concealing an adolescent wizard hiding in a corner, for example, would display an image of the walls behind it in an effort to fool observers into thinking there was no young wizard present to block their view of the empty corner. 'We've taken an electrical engineering approach, but that's what we are excited about,' Eleftheriades said in a public announcement of the paper's publication. (The full text is available as a free PDF here.)" -
A Makerbot In Every Classroom
Daniel_Stuckey writes "At the start of this year, President Obama nicely summed up the grandiose promise of 3D printing — or rather, the hype surrounding it. In his State of the Union address the president suggested the fledgling technology could save manufacturing by ushering in a second industrial revolution. That shout-out inspired a spate of buzzkill blog posts pointing out — rightly enough — that despite its potential, 3D printing is still in its infancy. It's not the panacea for the struggling economy we want it to be, at least not yet. Apparently the naysayers weren't enough to kill the 3D-printing dream, because, with support from the federal government, MakerBot announced its initiative to put a 3D printer in every school in America. The tech startup and the administration are betting big that teaching kids 3D printing is teaching them the skills they'll need as tomorrow's engineers, designers, and inventors." Caveat: Makerbot no longer produces open hardware, and they are pushing proprietary Autodesk software and educational materials as part of the free 3D printer. Makerbot also launched a call for open models of math manipulatives on Thingiverse (you might remember them from elementary school) so that teachers have something useful to print immediately. -
Demo of Prototype Virtual Retinal Head Mounted Display
muterobert writes with an article about a new head mounted virtual retinal display (technology last covered ages ago). The folks over at Road to VR took a look at an engineering prototype; from the article: "The Avegant HMD uses a virtual retinal projection display consisting of a single LED light source and an array of micro-mirrors. This differs from normal screens in that with a VRD there is no actual screen to look at. Instead, a virtual image (in the optical sense) is drawn directly onto your retina. . ... 'At one point I was looking at a sea turtle in shallow coral waters. Sunlight was beaming down from the surface and illuminating the turtle's shell in a spectacular way — it was one of the most vivid and natural things I've ever seen on any display. The scene before me looked incredibly real, even though the field of view is not at immersive levels.'" -
Demo of Prototype Virtual Retinal Head Mounted Display
muterobert writes with an article about a new head mounted virtual retinal display (technology last covered ages ago). The folks over at Road to VR took a look at an engineering prototype; from the article: "The Avegant HMD uses a virtual retinal projection display consisting of a single LED light source and an array of micro-mirrors. This differs from normal screens in that with a VRD there is no actual screen to look at. Instead, a virtual image (in the optical sense) is drawn directly onto your retina. . ... 'At one point I was looking at a sea turtle in shallow coral waters. Sunlight was beaming down from the surface and illuminating the turtle's shell in a spectacular way — it was one of the most vivid and natural things I've ever seen on any display. The scene before me looked incredibly real, even though the field of view is not at immersive levels.'" -
Physicists Plan to Build a Bigger LHC
ananyo writes "When Europe's Large Hadron Collider (LHC) started up in 2008, particle physicists would not have dreamt of asking for something bigger until they got their US$5-billion machine to work. But with the 2012 discovery of the Higgs boson, the LHC has fulfilled its original promise — and physicists are beginning to get excited about designing a machine that might one day succeed it: the Very Large Hadron Collider. The giant machine would dwarf all of its predecessors (see 'Lord of the rings'). It would collide protons at energies around 100 TeV, compared with the planned 14TeV of the LHC at CERN, Europe's particle-physics lab near Geneva in Switzerland. And it would require a tunnel 80-100 kilometres around, compared with the LHC's 27-km circumference. For the past decade or so, there has been little research money available worldwide to develop the concept. But this summer, at the Snowmass meeting in Minneapolis, Minnesota — where hundreds of particle physicists assembled to dream up machines for their field's long-term future — the VLHC concept stood out as a favorite." -
Microsoft Kills Stack Ranking
Nerval's Lobster writes "Microsoft once demanded that its managers place their subordinates on a scale from 'top' to 'poor,' a practice that fueled some epic backstabbing within divisions. Last year, a Microsoft contractor with knowledge of the company's internal review processes told Slashdot that Microsoft was actively working to fix that system; just this week, the company announced that stack ranking was well and truly dead (and that's certainly one way to fix it). 'Lisa Brummel, head of human resources for the company, sent an e-mail to employees notifying them of the change today, according to my contacts,' ZDNet's Mary Jo Foley wrote. According to the memo, there are 'no more ratings,' 'no more curves,' and 'Managers and leaders will have flexibility to allocate rewards in the manner that best reflects the performance of their teams and individuals, as long as they stay within their compensation budget.' They're trying to encourage more teamwork and collaboration throughout the company. As we discussed on Saturday, Yahoo is adopting this method just as Microsoft is abandoning it." -
Microsoft Kills Stack Ranking
Nerval's Lobster writes "Microsoft once demanded that its managers place their subordinates on a scale from 'top' to 'poor,' a practice that fueled some epic backstabbing within divisions. Last year, a Microsoft contractor with knowledge of the company's internal review processes told Slashdot that Microsoft was actively working to fix that system; just this week, the company announced that stack ranking was well and truly dead (and that's certainly one way to fix it). 'Lisa Brummel, head of human resources for the company, sent an e-mail to employees notifying them of the change today, according to my contacts,' ZDNet's Mary Jo Foley wrote. According to the memo, there are 'no more ratings,' 'no more curves,' and 'Managers and leaders will have flexibility to allocate rewards in the manner that best reflects the performance of their teams and individuals, as long as they stay within their compensation budget.' They're trying to encourage more teamwork and collaboration throughout the company. As we discussed on Saturday, Yahoo is adopting this method just as Microsoft is abandoning it." -
Microsoft Kills Stack Ranking
Nerval's Lobster writes "Microsoft once demanded that its managers place their subordinates on a scale from 'top' to 'poor,' a practice that fueled some epic backstabbing within divisions. Last year, a Microsoft contractor with knowledge of the company's internal review processes told Slashdot that Microsoft was actively working to fix that system; just this week, the company announced that stack ranking was well and truly dead (and that's certainly one way to fix it). 'Lisa Brummel, head of human resources for the company, sent an e-mail to employees notifying them of the change today, according to my contacts,' ZDNet's Mary Jo Foley wrote. According to the memo, there are 'no more ratings,' 'no more curves,' and 'Managers and leaders will have flexibility to allocate rewards in the manner that best reflects the performance of their teams and individuals, as long as they stay within their compensation budget.' They're trying to encourage more teamwork and collaboration throughout the company. As we discussed on Saturday, Yahoo is adopting this method just as Microsoft is abandoning it." -
Music Industry Issues Take Down Notices to 50 Major Lyrics Sites
alphadogg writes "A music industry group is warning some 50 website that post song lyrics that they need to be licensed or face the music, possibly in the form of a lawsuit. The National Music Publishers Association said Monday that it sent take-down notices to what it claims are 50 websites that post lyrics to songs and generate ad revenue but may not be licensed to do so. The allegedly infringing sites were identified based on a complicated algorithm developed by a researcher at the University of Georgia." The "complicated algorithm" (basis statistics using Excel and Google) is described in the NMPA's "Undesirable Lyric Website List." Anyone remember lyrics.ch? -
NASA's Mars Orbiter Reaches Data Milestone
Nerval's Lobster writes "NASA's Mars Reconnaissance Orbiter has sent 200 terabits of scientific data all the way back to Earth over the past seven years. That data largely comes from six instruments aboard the craft, and doesn't include the information used to manage the equipment's health. That 200-terabit milestone also surpasses the ten years' worth of data returned via NASA's Deep Space Network from all other missions managed by NASA's Jet Propulsion Laboratory in Pasadena, California. 'The sheer volume is impressive, but of course what's most important is what we are learning about our neighboring planet,' JPL's Rich Zurek, the project scientist for the Mars Reconnaissance Orbiter, wrote in a statement. It takes roughly two hours for the craft to orbit Mars, recording voluminous amounts of data on everything from the atmosphere to the subsurface. Thanks to its instruments, we know that Mars is a dynamic environment, once home to water. 'Mars Reconnaissance Orbiter has shown that Mars is still an active planet, with changes such as new craters, avalanches and dust storms,' Zurek added. 'Mars is a partially frozen world, but not frozen in time.' While the Orbiter's two-year 'primary science phase' ended in 2008, NASA has granted the hardware three additional extensions, each of which has resulted in additional insight into the Red Planet's secrets." -
GOCE Satellite Burned Up Over Falkland Islands
An anonymous reader writes with an update on the fate of the GOCE satellite. From the article: "The mystery of GOCE's re-entry has now been solved — the one-ton satellite came down over the Falkland Islands, a British overseas territory 300 miles east of the Patagonian coast in the South Atlantic Ocean." -
Head of Silk Road 2.0 Says It Will Be Back In Minutes If Shut Down
Daniel_Stuckey writes "It only took a month for the Silk Road 2.0 to go live after the now infamous Silk Road marketplace shuttered. One month. Should the budding deep-web bazaar experience the same fate as its predecessor, and be knocked out by authorities still whack-a-moling their way through the online front of the war on drugs, the Silk Road 3.0 would be up and running in 15 minutes, tops. That's according to the Dread Pirate Roberts, the pseudonymous head of SR 2.0. In what are arguably his most breathy public remarks to date the 'new' DPR, who either cribbed his handle from the DPR of SR 1.0 fame or who is indeed the original DPR, opened up to Mike Power on his long-term vision for the site." -
One Year Since John McAfee Fled Belize
Velcroman1 writes "It has been a year since fallen software magnate John McAfee fled his adopted home and country — wanted by police for questioning in connection to the murder of his neighbor. In that year, the often eccentric programming pioneer led the media and the public on a wild ride with his outlandish behavior and off-the-wall statements during a catch-me-if you-can escape from the small Central American country. McAfee is a person of interest in the investigation surrounding the murder of his neighbor, American ex-pat Gregory Faull, near his compound in San Pedro Town on the island of Ambergris Caye. No headway has been made in the investigation — and authorities in Belize are still looking to speak with McAfee. 'Nothing has really changed. It's not a closed case,' police spokesman Raphael Martinez said. 'He is still a person of interest.'" -
British Intelligence Responds To Slashdot About Man-in-Middle Attack
Nerval's Lobster writes "The GCHQ agency, Britain's equivalent of the National Security Agency, reportedly used fake LinkedIn and Slashdot pages to load malware onto computers at Belgian telecommunications firm Belgacom. In an emailed statement to Slashdot, the GCHQ's Press and Media Affairs Office wrote: 'We have no comment to make on this particular story.' It added: 'All GCHQ's work is carried out in accordance with a strict legal and policy framework which ensure that our activities are authorised, necessary and proportionate, and that there is rigorous oversight, including from the Secretary of State, the Interception and Intelligence Services Commissioners and the Intelligence and Security Committee.' Meanwhile, LinkedIn's representatives suggested they had no knowledge of the reported hack. 'We have read the same stories, and we want to clarify that we have never cooperated with any government agency,' a spokesperson from the social network wrote in an email to Slashdot, 'nor do we have any knowledge, with regard to these actions, and to date, we have not detected any of the spoofing activity that is being reported.' An IT security expert with extensive knowledge of government intelligence operations, but no direct insight into the GCHQ, hypothesized to Slashdot that carrying out a man-in-the-middle attack was well within the capabilities of British intelligence agencies, but that such a 'retail' operation also seemed somewhat out of character. 'Based on what we know they've done, they are doing industrialized, large scale traffic sweeping and net hacking,' he said. 'They operate a wholesale, with statistical techniques. By "statistical" I mean that they send something that may or may not work.' With that in mind, he added, it's plausible that the GCHQ has software that operates in a similar manner to the NSA's EGOTISTICAL GIRAFFE, and used it to redirect Belgacom employees to a fake download. 'However, the story has been slightly garbaged into it being fake [LinkedIn and Slashdot] accounts, as opposed to network spoofing.'" Update: You can read the official statement from Slashdot's parent company, Dice Holdings, here on our blog. -
British Intelligence Responds To Slashdot About Man-in-Middle Attack
Nerval's Lobster writes "The GCHQ agency, Britain's equivalent of the National Security Agency, reportedly used fake LinkedIn and Slashdot pages to load malware onto computers at Belgian telecommunications firm Belgacom. In an emailed statement to Slashdot, the GCHQ's Press and Media Affairs Office wrote: 'We have no comment to make on this particular story.' It added: 'All GCHQ's work is carried out in accordance with a strict legal and policy framework which ensure that our activities are authorised, necessary and proportionate, and that there is rigorous oversight, including from the Secretary of State, the Interception and Intelligence Services Commissioners and the Intelligence and Security Committee.' Meanwhile, LinkedIn's representatives suggested they had no knowledge of the reported hack. 'We have read the same stories, and we want to clarify that we have never cooperated with any government agency,' a spokesperson from the social network wrote in an email to Slashdot, 'nor do we have any knowledge, with regard to these actions, and to date, we have not detected any of the spoofing activity that is being reported.' An IT security expert with extensive knowledge of government intelligence operations, but no direct insight into the GCHQ, hypothesized to Slashdot that carrying out a man-in-the-middle attack was well within the capabilities of British intelligence agencies, but that such a 'retail' operation also seemed somewhat out of character. 'Based on what we know they've done, they are doing industrialized, large scale traffic sweeping and net hacking,' he said. 'They operate a wholesale, with statistical techniques. By "statistical" I mean that they send something that may or may not work.' With that in mind, he added, it's plausible that the GCHQ has software that operates in a similar manner to the NSA's EGOTISTICAL GIRAFFE, and used it to redirect Belgacom employees to a fake download. 'However, the story has been slightly garbaged into it being fake [LinkedIn and Slashdot] accounts, as opposed to network spoofing.'" Update: You can read the official statement from Slashdot's parent company, Dice Holdings, here on our blog. -
British Intelligence Responds To Slashdot About Man-in-Middle Attack
Nerval's Lobster writes "The GCHQ agency, Britain's equivalent of the National Security Agency, reportedly used fake LinkedIn and Slashdot pages to load malware onto computers at Belgian telecommunications firm Belgacom. In an emailed statement to Slashdot, the GCHQ's Press and Media Affairs Office wrote: 'We have no comment to make on this particular story.' It added: 'All GCHQ's work is carried out in accordance with a strict legal and policy framework which ensure that our activities are authorised, necessary and proportionate, and that there is rigorous oversight, including from the Secretary of State, the Interception and Intelligence Services Commissioners and the Intelligence and Security Committee.' Meanwhile, LinkedIn's representatives suggested they had no knowledge of the reported hack. 'We have read the same stories, and we want to clarify that we have never cooperated with any government agency,' a spokesperson from the social network wrote in an email to Slashdot, 'nor do we have any knowledge, with regard to these actions, and to date, we have not detected any of the spoofing activity that is being reported.' An IT security expert with extensive knowledge of government intelligence operations, but no direct insight into the GCHQ, hypothesized to Slashdot that carrying out a man-in-the-middle attack was well within the capabilities of British intelligence agencies, but that such a 'retail' operation also seemed somewhat out of character. 'Based on what we know they've done, they are doing industrialized, large scale traffic sweeping and net hacking,' he said. 'They operate a wholesale, with statistical techniques. By "statistical" I mean that they send something that may or may not work.' With that in mind, he added, it's plausible that the GCHQ has software that operates in a similar manner to the NSA's EGOTISTICAL GIRAFFE, and used it to redirect Belgacom employees to a fake download. 'However, the story has been slightly garbaged into it being fake [LinkedIn and Slashdot] accounts, as opposed to network spoofing.'" Update: You can read the official statement from Slashdot's parent company, Dice Holdings, here on our blog. -
Typhoon Haiyan Continues To Scourge Southeast Asia
jones_supa writes "ABC Australia is reporting extensively about the progress of the Typhoon Haiyan, which has reached the status of being one of the strongest tropical cyclones ever recorded. Over the weekend it has caused severe destruction and misery passing through Philippines with maximum sustained winds of 315 km/h, where the authorities are now struggling to bring relief to areas worst affected, there being 10,000 people dead. The storm is now heading towards Vietnam, where already over 600,000 people have been evacuated. Meanwhile, China announced its highest alert for Typhoon Haiyan as six crew members of a cargo boat were reported missing. Vietnam is likely to be spared the storm's initial ferocity as it has weakened over the South China Sea and is now expected to hit as a category 1 storm, with wind speeds of about 74 km/h, meteorologists say." -
Scientists Invent Urine-Powered Robots
Lucas123 writes "Researchers have already built robots that can use microorganisms to digest waste material, such as rotten fruit and vegetables, and generate electricity from it. This time, a group of scientists has taken that concept to a strange, new place: urine-powered robots. The scientists from the University of the West of England, Bristol and the University of Bristol constructed a system in robots that functions like the human heart, except it's designed to pump urine into the robot's 'engine room,' converting the waste into electricity and enabling the robot to function completely on its own. The researchers hope the system, which can hold 24.5 ml of urine, could be used to power future generations of robots, or what they're calling EcoBots. 'In the city environment, they could re-charge using urine from urinals in public lavatories,' said Peter Walters, a researcher with the University of the West of England. 'In rural environments, liquid waste effluent could be collected from farms.'" -
Mark Shuttleworth Apologizes for Trademark Action Against Fix Ubuntu
A few days ago, the operator of Fix Ubuntu received a threatening letter from Canonical commanding him to cease using the Ubuntu name or logo. Last night, Mark Shuttleworth posted an update noting that it shouldn't have happened, and also apologizing for calling opponents of Mir the open source tea party. "In order to make the amount of [trademark related] correspondence manageable, we have a range of standard templates for correspondence. They range from the 'we see you, what you are doing is fine, here is a license to use the name and logo which you need to have, no need for further correspondence,' through 'please make sure you state you are speaking for yourself and not on behalf of the company or the product,' to the 'please do not use the logo without permission, which we are not granting unless you actually certify those machines,' and 'please do not use Ubuntu in that domain to pretend you are part of the project when you are not.' Last week, the less-than-a-month-at-Canonical new guy sent out the toughest template letter to the folks behind a “sucks” site. Now, that was not a decision based on policy or guidance; as I said, Canonical’s trademark policy is unusually generous relative to corporate norms in explicitly allowing for this sort of usage. It was a mistake, and there is no question that the various people in the line of responsibility know and agree that it was a mistake. It was no different, however, than a bug in a line of code, which I think most developers would agree happens to the best of us. It just happened to be, in that analogy, a zero-day remote root bug. ... On another, more personal note, I made a mistake myself when I used the label “open source tea party” to refer to the vocal non-technical critics of work that Canonical does. That was unnecessary and quite possibly equally offensive to members of the real Tea Party (hi there!) and the people with vocal non-technical criticism of work that Canonical does (hello there!)." -
Mark Shuttleworth Apologizes for Trademark Action Against Fix Ubuntu
A few days ago, the operator of Fix Ubuntu received a threatening letter from Canonical commanding him to cease using the Ubuntu name or logo. Last night, Mark Shuttleworth posted an update noting that it shouldn't have happened, and also apologizing for calling opponents of Mir the open source tea party. "In order to make the amount of [trademark related] correspondence manageable, we have a range of standard templates for correspondence. They range from the 'we see you, what you are doing is fine, here is a license to use the name and logo which you need to have, no need for further correspondence,' through 'please make sure you state you are speaking for yourself and not on behalf of the company or the product,' to the 'please do not use the logo without permission, which we are not granting unless you actually certify those machines,' and 'please do not use Ubuntu in that domain to pretend you are part of the project when you are not.' Last week, the less-than-a-month-at-Canonical new guy sent out the toughest template letter to the folks behind a “sucks” site. Now, that was not a decision based on policy or guidance; as I said, Canonical’s trademark policy is unusually generous relative to corporate norms in explicitly allowing for this sort of usage. It was a mistake, and there is no question that the various people in the line of responsibility know and agree that it was a mistake. It was no different, however, than a bug in a line of code, which I think most developers would agree happens to the best of us. It just happened to be, in that analogy, a zero-day remote root bug. ... On another, more personal note, I made a mistake myself when I used the label “open source tea party” to refer to the vocal non-technical critics of work that Canonical does. That was unnecessary and quite possibly equally offensive to members of the real Tea Party (hi there!) and the people with vocal non-technical criticism of work that Canonical does (hello there!)." -
Nvidia GeForce GTX 780 Ti Review: GK110, Fully Unlocked
An anonymous reader writes "Nvidia lifted the veil on its latest high-end graphics board, the GeForce GTX 780 Ti. With a total of 2,880 CUDA cores and 240 texture units, the GK110 GPU inside the GTX 780 Ti is fully unlocked. This means that the new card has an additional SMX block, 192 more shader cores, and 16 additional texture units than the $1,000 GTX Titan launched back in February! Offered at just $700, the GTX 780 Ti promises to improve gaming performance over the Titan, yet the card has been artificially limited in GPGPU performance — no doubt in order to make sure the pricier card remains relevant to those unable or unwilling to spring for a Quadro. The benchmark results simply illustrate the GTX 780 Ti's on-paper specs. The card was able to beat AMD's just-released flagship, the Radeon R9 290x by single-digit percentages, up to double-digits topping 30% — depending on the variability of AMD's press and retail samples." -
Nvidia GeForce GTX 780 Ti Review: GK110, Fully Unlocked
An anonymous reader writes "Nvidia lifted the veil on its latest high-end graphics board, the GeForce GTX 780 Ti. With a total of 2,880 CUDA cores and 240 texture units, the GK110 GPU inside the GTX 780 Ti is fully unlocked. This means that the new card has an additional SMX block, 192 more shader cores, and 16 additional texture units than the $1,000 GTX Titan launched back in February! Offered at just $700, the GTX 780 Ti promises to improve gaming performance over the Titan, yet the card has been artificially limited in GPGPU performance — no doubt in order to make sure the pricier card remains relevant to those unable or unwilling to spring for a Quadro. The benchmark results simply illustrate the GTX 780 Ti's on-paper specs. The card was able to beat AMD's just-released flagship, the Radeon R9 290x by single-digit percentages, up to double-digits topping 30% — depending on the variability of AMD's press and retail samples." -
Ink-Jet Printing Custom-Designed Micro Circuits
Nerval's Lobster writes "Researchers have demonstrated a technique that produces inexpensive, functional electrical circuits that can be printed using about $300 worth of materials and equipment, including generic inkjet printers. The technique, developed by researchers from Georgia Tech, the University of Tokyo and Microsoft Research, allows circuits to be printed onto irregularly-shaped materials or almost anything able to go through the paper feed on a printer designed for consumers. The chief advantage of the technique is the ability to print circuits using silver nanoparticle ink rather than relying on the thermal-bonding technique called sintering, which is time-consuming and can destroy delicate base materials. Researchers were able to print new circuits in about 60 seconds on almost any material that could go through the printer, though resin-covered paper, PET film and glossy photo paper worked best, while sheets of canvas cloth and anything magnetic were ineffective. Once printed using silver ink on flexible base material, the circuits can be attached to existing hardware by simply laying or taping them in place and making connections using conductive tape or conductive glue. (Soldering would destroy the underlying material.)" -
Ninth Anniversary of Firefox 1.0 Release
Nine years ago today, Firefox 1.0 was released. Mozilla writes "Mozilla created Firefox to be an amazingly fun, safe, and fast Web browser that embodies the values of our mission to promote openness, innovation and opportunity online. In the nine years since we first launched Firefox, we have moved and shaped the Web into the most valuable public resource of our time." The first release of the little project to write a lighter alternative to Seamonkey is a bit over a year older. -
Ninth Anniversary of Firefox 1.0 Release
Nine years ago today, Firefox 1.0 was released. Mozilla writes "Mozilla created Firefox to be an amazingly fun, safe, and fast Web browser that embodies the values of our mission to promote openness, innovation and opportunity online. In the nine years since we first launched Firefox, we have moved and shaped the Web into the most valuable public resource of our time." The first release of the little project to write a lighter alternative to Seamonkey is a bit over a year older. -
Tesla Fires and Firestorms: Let's Breathe and Review Some Car Fire Math
cartechboy writes "There are about 150,000 vehicle fires reported every year in the U.S. — about 17 every hour, on average. But when that vehicle fire is a Tesla, the Internet notices. There have now been three fires among roughly 20,000 Tesla Model S electric cars on the road so far. The stock is down, the Feds are asking questions and the Internet is swimming in Tesla news. It may be time to check the facts and review some math (hint: we're looking at roughly one fire for every 33 million miles driven so far) and then breathe. Then look at what we know, what we don't know, and what we should know." -
Amazon Gets Blow-Back Over Plan To Sell Kindles At Small Bookshops
Rambo Tribble writes "No sooner had Amazon revealed their plan to offer independent book shops the Kindle for re-sale, along with a kick-back on e-book purchases, than the fur began to fly. It appears the shops view the plan as Amazon-assisted suicide. Given the apparent terms of the deal, it looks like they may have a point. Amazon may well have done themselves more harm than good with this ploy. One storeowner wrote, 'Hmmm, let's see. We sell Kindles for essentially no profit, the new Kindle customer is in our store where they can browse and discover books, the new Kindle customer can then check the price on Amazon and order the e-book. We make a little on their e-book purchases, but then lose them as a customer completely after two years. Doesn't sound like such a great partnership to me.'" -
Taking Google's QUIC For a Test Drive
agizis writes "Google presented their new QUIC (Quick UDP Internet Connections) protocol to the IETF yesterday as a future replacement for TCP. It was discussed here when it was originally announced, but now there's real working code. How fast is it really? We wanted to know, so we dug in and benchmarked QUIC at different bandwidths, latencies and reliability levels (test code included, of course), and ran our results by the QUIC team." -
Stephen Elop Would Pull a Nokia On Microsoft
Nerval's Lobster writes "A new Bloomberg report suggests that Stephen Elop, who's apparently on the short list of candidates to replace Steve Ballmer as Microsoft's CEO, would eliminate company projects such as Xbox and Bing while focusing resources on Office. Before he left Microsoft to join Nokia, Elop headed Microsoft's Business Division, so it's no surprise he'd want to focus on Office and the company's other, highly profitable enterprise software. But as head of Nokia, Elop made similarly bold strategic realignments that, while they probably looked good on paper, didn't quite work out. Specifically, Elop decided to abandon Nokia's popular homegrown operating systems, including Symbian, in favor of Microsoft's Windows Phone. That caused Nokia's share of the overall mobile-device market to dive into the single digits. At the time, Elop insisted he made the decision because Symbian and its ilk were incapable of competing in the broader market against Android and iOS; revelations by the Finnish media over the past few months, however, suggest that he'd been offered a generous cash incentive for selling off the company, which gives his 'strategic realignment' (which everyone knew would initially collapse Nokia's market-share, as its product pipeline emptied out) a whiff of self-interest. So while it's likely that a Microsoft run by Elop would make some decisive moves, his previous attempt at game-changing quickly transformed Nokia from a communications powerhouse into a second-tier competitor and (eventually) a Microsoft subsidiary. And by eliminating Bing and Xbox, Microsoft would be giving up completely on the search and gaming markets in favor of becoming more of an enterprise-centric company—something that could please analysts mostly interested in the company's bottom line, but basically an admission of defeat in the consumer realm." -
Stephen Elop Would Pull a Nokia On Microsoft
Nerval's Lobster writes "A new Bloomberg report suggests that Stephen Elop, who's apparently on the short list of candidates to replace Steve Ballmer as Microsoft's CEO, would eliminate company projects such as Xbox and Bing while focusing resources on Office. Before he left Microsoft to join Nokia, Elop headed Microsoft's Business Division, so it's no surprise he'd want to focus on Office and the company's other, highly profitable enterprise software. But as head of Nokia, Elop made similarly bold strategic realignments that, while they probably looked good on paper, didn't quite work out. Specifically, Elop decided to abandon Nokia's popular homegrown operating systems, including Symbian, in favor of Microsoft's Windows Phone. That caused Nokia's share of the overall mobile-device market to dive into the single digits. At the time, Elop insisted he made the decision because Symbian and its ilk were incapable of competing in the broader market against Android and iOS; revelations by the Finnish media over the past few months, however, suggest that he'd been offered a generous cash incentive for selling off the company, which gives his 'strategic realignment' (which everyone knew would initially collapse Nokia's market-share, as its product pipeline emptied out) a whiff of self-interest. So while it's likely that a Microsoft run by Elop would make some decisive moves, his previous attempt at game-changing quickly transformed Nokia from a communications powerhouse into a second-tier competitor and (eventually) a Microsoft subsidiary. And by eliminating Bing and Xbox, Microsoft would be giving up completely on the search and gaming markets in favor of becoming more of an enterprise-centric company—something that could please analysts mostly interested in the company's bottom line, but basically an admission of defeat in the consumer realm." -
Credit Card Numbers Still Google-able
Slashdot contributor Bennett Haselton writes "In 2007, I wrote that you could find troves of credit card numbers on Google, most of them still active, using the simple trick of Googling the first 8 digits of your credit card number. The trick itself had been publicized by other writers at least as far back as 2004, but in 2013, it appears to still be just as easy. One possible solution that I didn't consider last time, would be for Google itself to notify the webmasters and credit card companies of the leaked information, and then display a warning alongside the search results." Read on for the rest of Bennett's thoughts.If you have a Visa, Mastercard, or Discover Card number handy, do a Google search for the first 8 digits in the form "1234 5678" (don't forget the double quotes around the numbers, and the space in the middle). The odds are that you will find at least some pages among the search results which include other credit card numbers that begin with the same 8 digits. Those Google hits will frequently be in the form of a spreadsheet or document that looks like it was made for someone's internal use and wasn't meant to be leaked on the Web, and some of those documents will include entire lists of other credit card numbers as well. (The search trick doesn't work for American Express cards, since their card numbers are usually stored in the form "3xxx xxxxxx xxxxx", and it's far less likely for your card to share the same initial 10 digits with someone else's credit card. But of course if you hit on a page that contains a list of credit card numbers, there will probably be some AmEx cards in that list.) Of the pages that I found containing leaked credit cards, often they would also contain other sensitive data like passwords and social security numbers. Don't do anything I wouldn't do.
In my 2007 article, I wrote, "Of course, it's not the card companies' fault that these card numbers are leaked onto the Web; it's the fault of the merchants that allowed them to get leaked. But the credit card companies are the only ones who are in a position to do something about it." I suggested for credit card companies to run a Google search every day or week for all of the possible 8-digit prefixes that could correspond to their card numbers, and then to deactivate any card numbers that were found in this way. They could also send a request to Google to remove the page from Google's index because it contains credit card numbers (there is already a public-facing removal request tool for this purpose). And finally, if it was a merchant that leaked customers' credit card numbers online, then the merchant should be sanctioned as well.
The problem with all of these suggestions is that there doesn't seem to be sufficient incentive on the part of the people who have to implement them. If a credit card company has to refund a fraudulent charge, they usually just take the money back from the merchant who originally received it, and it costs the credit card company nothing. (During my brief stint running a company that accepted online credit card payments, sometimes a "customer" that we had interacted with and who definitely knew who we were, would decide to call their credit card company and "dispute" the charge for no reason, and the card processor would just take the money out of our balance and hand it back to the customer.) So credit card companies themselves apparently lack the incentive to fix the problem.
So perhaps the easiest fix could come from Google, a company that actually has no incentive at all to fix the problem, except for the fact that it would be a neat idea. Although their "Don't Be Evil" motto has taken a lot of beatings, they still do some basically responsible things for reasons that don't seem to contribute directly to their bottom line. (The fact that they have a tool at all for requesting the removal of pages containing credit card numbers, for example.)
It should be pretty easy for Google to run its own queries internally, based on all possible 8-digit credit card prefixes, to find pages that list any sequence of 16 digits beginning with those 8. Then could do a quick mathematical test on the 16-digit sequence to see if it's a valid credit card number. Then scan their own cached copy of that web page to see how many other valid credit card numbers they can find. Then propagate all of those numbers back to contact points at Visa, MasterCard, American Express and Discover, saying, "We found this credit card number leaked onto the Web; you should cancel the number and issue a new one."
After that point, should Google delete the page from their search results themselves? On the one hand, it clearly helps reduce credit card fraud to remove pages from their index that contain working credit cards. On the other hand, the purist in me doesn't like the thought of Google removing information from their index. After all, if the problem is that a list of credit card numbers has been leaked on a webpage, having that page show up in Google shines a light on the problem; removing it from the index doesn't make the problem go away. (The page could still be found through other search engines; or credit card thieves could have already found the page on Google and saved a copy before Google de-indexed it.) Perhaps a compromise could be that once Google has received confirmation from the credit card companies that all of the card numbers on a given page had been de-activated, it could restore the page to their index, but it would be displayed in search results with a warning saying, "This page contains personal credit card account information; all of the credit card account numbers listed have been de-activated."
Unfortunately this doesn't work if the page also contains other sensitive information that can't be un-compromised just by closing an account — e.g., Social Security Numbers, or addresses and phone numbers. (In any case, Google's removal policies specifically say that they won't remove a page from their index just because the page contains a person's address or phone number.) So maybe the better answer really is to just leave the page out of the search results permanently, over the objections of the "purists."
(I may or may not have found some evidence that Bing is more aggressive about removing pages from search results that contain credit cards. I took a "trove" of 11 credit cards that I found through one of my Google searches, and for each of the 11 card numbers, ran a query on both Google and Bing for the first 8 digits. On Google, 8 out of the 11 queries returned at least one page containing more credit card numbers, not counting the original page which had had supplied the "trove" of numbers that I started with. On Bing, however, only 3 out of 11 queries returned pages with more card numbers. This could indicate that Bing is more conscientious about removing pages from search results that contain sensitive personal information. Or it might just mean that they're not as good as Google.)
Of course the fundamental problem with credit card number security has always been that you have to use the same "token" — your credit card number — for every purchase, with every merchant. (There are card companies that let you generate one-time-use numbers for every purchase, but almost nobody uses those.) Maybe in a few years, credit card numbers will be supplanted by more secure payment protocols and fall by the wayside, but that's also what I thought in 2007.
-
Credit Card Numbers Still Google-able
Slashdot contributor Bennett Haselton writes "In 2007, I wrote that you could find troves of credit card numbers on Google, most of them still active, using the simple trick of Googling the first 8 digits of your credit card number. The trick itself had been publicized by other writers at least as far back as 2004, but in 2013, it appears to still be just as easy. One possible solution that I didn't consider last time, would be for Google itself to notify the webmasters and credit card companies of the leaked information, and then display a warning alongside the search results." Read on for the rest of Bennett's thoughts.If you have a Visa, Mastercard, or Discover Card number handy, do a Google search for the first 8 digits in the form "1234 5678" (don't forget the double quotes around the numbers, and the space in the middle). The odds are that you will find at least some pages among the search results which include other credit card numbers that begin with the same 8 digits. Those Google hits will frequently be in the form of a spreadsheet or document that looks like it was made for someone's internal use and wasn't meant to be leaked on the Web, and some of those documents will include entire lists of other credit card numbers as well. (The search trick doesn't work for American Express cards, since their card numbers are usually stored in the form "3xxx xxxxxx xxxxx", and it's far less likely for your card to share the same initial 10 digits with someone else's credit card. But of course if you hit on a page that contains a list of credit card numbers, there will probably be some AmEx cards in that list.) Of the pages that I found containing leaked credit cards, often they would also contain other sensitive data like passwords and social security numbers. Don't do anything I wouldn't do.
In my 2007 article, I wrote, "Of course, it's not the card companies' fault that these card numbers are leaked onto the Web; it's the fault of the merchants that allowed them to get leaked. But the credit card companies are the only ones who are in a position to do something about it." I suggested for credit card companies to run a Google search every day or week for all of the possible 8-digit prefixes that could correspond to their card numbers, and then to deactivate any card numbers that were found in this way. They could also send a request to Google to remove the page from Google's index because it contains credit card numbers (there is already a public-facing removal request tool for this purpose). And finally, if it was a merchant that leaked customers' credit card numbers online, then the merchant should be sanctioned as well.
The problem with all of these suggestions is that there doesn't seem to be sufficient incentive on the part of the people who have to implement them. If a credit card company has to refund a fraudulent charge, they usually just take the money back from the merchant who originally received it, and it costs the credit card company nothing. (During my brief stint running a company that accepted online credit card payments, sometimes a "customer" that we had interacted with and who definitely knew who we were, would decide to call their credit card company and "dispute" the charge for no reason, and the card processor would just take the money out of our balance and hand it back to the customer.) So credit card companies themselves apparently lack the incentive to fix the problem.
So perhaps the easiest fix could come from Google, a company that actually has no incentive at all to fix the problem, except for the fact that it would be a neat idea. Although their "Don't Be Evil" motto has taken a lot of beatings, they still do some basically responsible things for reasons that don't seem to contribute directly to their bottom line. (The fact that they have a tool at all for requesting the removal of pages containing credit card numbers, for example.)
It should be pretty easy for Google to run its own queries internally, based on all possible 8-digit credit card prefixes, to find pages that list any sequence of 16 digits beginning with those 8. Then could do a quick mathematical test on the 16-digit sequence to see if it's a valid credit card number. Then scan their own cached copy of that web page to see how many other valid credit card numbers they can find. Then propagate all of those numbers back to contact points at Visa, MasterCard, American Express and Discover, saying, "We found this credit card number leaked onto the Web; you should cancel the number and issue a new one."
After that point, should Google delete the page from their search results themselves? On the one hand, it clearly helps reduce credit card fraud to remove pages from their index that contain working credit cards. On the other hand, the purist in me doesn't like the thought of Google removing information from their index. After all, if the problem is that a list of credit card numbers has been leaked on a webpage, having that page show up in Google shines a light on the problem; removing it from the index doesn't make the problem go away. (The page could still be found through other search engines; or credit card thieves could have already found the page on Google and saved a copy before Google de-indexed it.) Perhaps a compromise could be that once Google has received confirmation from the credit card companies that all of the card numbers on a given page had been de-activated, it could restore the page to their index, but it would be displayed in search results with a warning saying, "This page contains personal credit card account information; all of the credit card account numbers listed have been de-activated."
Unfortunately this doesn't work if the page also contains other sensitive information that can't be un-compromised just by closing an account — e.g., Social Security Numbers, or addresses and phone numbers. (In any case, Google's removal policies specifically say that they won't remove a page from their index just because the page contains a person's address or phone number.) So maybe the better answer really is to just leave the page out of the search results permanently, over the objections of the "purists."
(I may or may not have found some evidence that Bing is more aggressive about removing pages from search results that contain credit cards. I took a "trove" of 11 credit cards that I found through one of my Google searches, and for each of the 11 card numbers, ran a query on both Google and Bing for the first 8 digits. On Google, 8 out of the 11 queries returned at least one page containing more credit card numbers, not counting the original page which had had supplied the "trove" of numbers that I started with. On Bing, however, only 3 out of 11 queries returned pages with more card numbers. This could indicate that Bing is more conscientious about removing pages from search results that contain sensitive personal information. Or it might just mean that they're not as good as Google.)
Of course the fundamental problem with credit card number security has always been that you have to use the same "token" — your credit card number — for every purchase, with every merchant. (There are card companies that let you generate one-time-use numbers for every purchase, but almost nobody uses those.) Maybe in a few years, credit card numbers will be supplanted by more secure payment protocols and fall by the wayside, but that's also what I thought in 2007.
-
Third Tesla Fire Means Feds To Begin Review
cartechboy writes "In early October, a Tesla caught on fire in Washington state — and that created a little bit of a stir. Then just before Halloween a second Tesla caught fire. Yesterday, a third Model S caught fire in Tennessee. With the third fire in the books, all happening in similar fashion, today federal investigators are saying they are going to take a look at the situation more closely. As electric car maker's stock shares continue to tumble, some are saying the fires aren't a big deal." -
TrueCrypt To Go Through a Crowdfunded, Public Security Audit
An anonymous reader writes "After all the revelations about NSA's spying efforts, and especially after the disclosure of details about its Bullrun program aimed at subverting encryption standards and efforts around the world, the question has been raised of whether any encryption software can be trusted. Security experts have repeatedly said that it you want to trust this type of software, your best bet is to choose software that is open source. But, in order to be entirely sure, a security audit of the code by independent experts sounds like a definitive answer to that issue. And that it exactly what Matthew Green, cryptographer and research professor at Johns Hopkins University, and Kenneth White, co-founder of hosted healthcare services provider BAO Systems, have set out to do. The software that will be audited is the famous file and disk encryption software package TrueCrypt. Green and White have started fundraising at FundFill and IndieGoGo, and have so far raised over $50,000 in total." (Mentioned earlier on Slashdot; the now-funded endeavor is also covered at Slash DataCenter.)