April 24, 2014

avatar

The Next Step towards an Open Internet

Now that the FCC has finally acted to safeguard network neutrality, the time has come to take the next step toward creating a level playing field on the rest of the Information Superhighway. Network neutrality rules are designed to ensure that large telecommunications companies do not squelch free speech and online innovation. However, it is increasingly evident that broadband companies are not the only threat to the open Internet. In short, federal regulators need to act now to safeguard social network neutrality.

The time to examine this issue could not be better. Facebook is the dominant social network in countries other than Brazil, where everybody uses Friendster or something. Facebook has achieved near-monopoly status in the social networking market. It now dominates the web, permeating all aspects of the information landscape. More than 2.5 million websites have integrated with Facebook. Indeed, there is evidence that people are turning to social networks instead of faceless search engines for many types of queries.

Social networks will soon be the primary gatekeepers standing between average Internet users and the web’s promise of information utopia. But can we trust them with this new-found power? Friends are unlikely to be an unbiased or complete source of information on most topics, creating silos of ignorance among the disparate components of the social graph. Meanwhile, social networks will have the power to make or break Internet businesses built atop the enormous quantity of referral traffic they will be able to generate. What will become of these businesses when friendships and tastes change? For example, there is recent evidence that social networks are hastening the decline of the music industry by promoting unknown artists who provide their music and streaming videos for free.

Social network usage patterns reflect deep divisions of race and class. Unregulated social networks could rapidly become virtual gated communities, with users cut off from others who could provide them with a diversity of perspectives. Right now, there’s no regulation of the immense decision-influencing power that friends have, and there are no measures in place to ensure that friends provide a neutral and balanced set of viewpoints. Fortunately, policy-makers have a rare opportunity to preempt the dangerous consequences of leaving this new technology to develop unchecked.

The time has come to create a Federal Friendship Commission to ensure that the immense power of social networks is not abused. For example, social network users who have their friend requests denied currently have no legal recourse. Users should have the option to appeal friend rejections to the FFC to verify that they don’t violate social network neutrality. Unregulated social networks will give many users a distorted view of the world dominated by the partisan, religious, and cultural prejudices of their immediate neighbors in the social graph. The FFC can correct this by requiring social networks to give equal time to any biased wall post.

However, others have suggested lighter-touch regulation, simply requiring each person to have friends of many races, religions, and political persuasions. Still others have suggested allowing information harms to be remedied through direct litigation—perhaps via tort reform that recognizes a new private right of action against violations of the “duty to friend.” As social networking software will soon be found throughout all aspects of society, urgent intervention is needed to forestall “The Tyranny of The Farmville.”

Of course, social network neutrality is just one of the policy tools regulators should use to ensure a level playing field. For example, the Department of Justice may need to more aggressively employ its antitrust powers to combat the recent dangerous concentration of social networking market share on popular micro-blogging services. But enacting formal social network neutrality rules is an important first step towards a more open web.

avatar

My Experiment with "Digital Drugs"

The latest scare meme is “digital drugs” or “i-dosing”, in which kids listen to audio tracks that supposedly induce altered mental states. Concerned adults fear that these “digital drugs” may be a gateway to harder (i.e., actual) drugs. Rumors are circulating among some kids: “I heard it was like some weird demons and stuff through an iPod“. In a way, it’s a perfect storm of scare memes, involving (1) “drugs”, (2) the Internet, and (3) kids listening to freaky music.

When I heard about these “digital drugs”, I naturally had to try them, in the interest of science.

(All joking aside, I only did this because I knew it was safe and legal. I don’t like to mess with my brain. I rely on my brain to make my living. Without my brain, I’d be … a zombie, I guess.)

I downloaded a “digital drug” track, donned good headphones, lay down on my bed, closed my eyes, blanked my mind, and pressed “play”. What I heard was a kind of droning noise, accompanied by a soft background hiss. It was not unlike the sound of a turboprop airplane during post-takeoff ascent, with two droning engines and the soft hiss of a ventilation fan. This went on for about fifteen minutes, with the drone changing pitch every now and then. That was it.

Did this alter my consciousness? Not really. If anything, fifteen minutes of partial sensory deprivation (eyes closed, hearing nothing but droning and hissing) might have put me in a mild meditative state, but frankly I could have reached that state more easily without the infernal droning, just by lying still and blanking my mind.

Afterward I did some web surfing to try to figure out why people think these sounds might affect the brain. To the extent there is any science at all behind “digital drugs”, it involves playing sounds of slightly different frequencies into your two ears, thereby supposedly setting up a low-frequency oscillation in the auditory centers of your brain, which will supposedly interact with your brain waves that operate at a very similar frequency. This theory could be hooey for all I know, but it sounds kind of science-ish so somebody might believe it. I can tell you for sure that it didn’t work on me.

So, kids: don’t do digital drugs. They’re a waste of time. And if you don’t turn down the volume, you might actually damage your hearing.

avatar

CITP Expands Scope of RECAP

Today, we’re thrilled to announce the next version of our RECAP technology, dramatically expanding the scope of the project.

Having had some modest success at providing public access to legal documents, we’re now taking the next logical step, offering easy public access to illegal documents.

The Internet Archive, which graciously hosts RECAP’s repository of legal documents, was strangely unreceptive to our offer to let them store the world’s most comprehensive library of illegal documents. Fortunately, the Pirate Bay was happy to step in and help.

Interested in seeing what’s available? Then you might want to watch our brief instructional video.

avatar

A Modest Proposal: Three-Strikes for Print

Yesterday the French parliament adopted a proposal to create a “three-strikes” system that would kick people off the Internet if they are accused of copyright infringement three times.

This is such a good idea that it should be applied to other media as well. Here is my modest proposal to extend three-strikes to the medium of print, that is, to words on paper.

My proposed system is simplicity itself. The government sets up a registry of accused infringers. Anybody can send a complaint to the registry, asserting that someone is infringing their copyright in the print medium. If the government registry receives three complaints about a person, that person is banned for a year from using print.

As in the Internet case, the ban applies to both reading and writing, and to all uses of print, including informal ones. In short, a banned person may not write or read anything for a year.

A few naysayers may argue that print bans might be hard to enforce, and that banning communication based on mere accusations of wrongdoing raises some minor issues of due process and free speech. But if those issues don’t trouble us in the Internet setting, why should they trouble us here?

Yes, if banned from using print, some students will be unable to do their school work, some adults will face minor inconvenience in their daily lives, and a few troublemakers will not be allowed to participate in — or even listen to — political debate. Maybe they’ll think more carefully the next time, before allowing themselves to be accused of copyright infringement.

In short, a three-strikes system is just as good an idea for print as it is for the Internet. Which country will be the first to adopt it?

Once we have adopted three-strikes for print, we can move on to other media. Next on the list: three-strikes systems for sound waves, and light waves. These media are too important to leave unprotected.

[Français]

avatar

On the emotions you feel when you do a security review

[I'm happy to introduce Dan Wallach, who will be blogging here from time to time. Dan is an Associate Professor of Computer Science at Rice University. He's a leading security expert who has done great work on several topics, including e-voting. – Ed]

I was one of the co-authors of the Hart InterCivic source code report, as part of California’s “top to bottom” analysis of its voting systems. As many Freedom to Tinker readers now know, we found problems. Lots of problems. I’ve done this sort of thing before, as have many others, and I realized that there’s a somewhat odd emotion that we all feel when we do it. You’re happy because you found how to break something, but you’re sad that the system is so poorly engineered. It’s a great accomplishment that we were able to discover so much, but it’s terrible that widely used systems have such easily exploitable vulnerabilities. What word can describe that good/bad emotion?

About a year ago, I started asking everybody I knew, speakers of any language, if their language had a word to describe that emotion. Somebody, somewhere, must have such a word. There are lots of close-but-no-cigar choices, such as:

Schadenfreude (German) – the pleasure you feel at somebody else’s pain (common example: laughing at Hollywood celebrities arrested for drunk driving)

Bathos (Greek) – mixing serious issues with humor (a common literary device)

Neither quite capture it. Finally, in a discussion with my colleague, Moshe Vardi, we came up with a Yiddish coinage that seems to do the trick: oy gevaldik.

Origin? Oy vey is a standard Yiddish expression of woe (similar to “oh boy”). Oy gevalt is a stronger version of the same expression (similar to “oh expletive” for milder expletives). Curiously, the Yiddish word for beautiful is gevaldik, which sounds similar to gevalt. Put it together, and you get oy gevaldik. Oh, beautiful. And that’s what security reviews are all about.

avatar

Woman Registers Dog to Vote, Demonstrates Ease of Fraud

A woman in Seattle registered her dog to vote, and submitted absentee ballots in three elections on the dog’s behalf, according to an AP story.

The woman, Jane Balogh, said she did this to demonstrate how easy it would be for a noncitizen to vote. She put her phone bill in her dog’s name (“Duncan M. MacDonald”) and then used the phone bill as evidence of residency. She submitted absentee ballots in Duncan’s name three times, each ballot “signed” with a paw print. She says the ballots did not designate any candidates and only had “void” written on them, so the elections were not affected.

Nevertheless, she broke the law and now faces charges.

This relates to an issue every applied security researcher has faced: how to demonstrate a security problem is real. People take a problem more seriously when they have seen a real, working demonstration of the problem – otherwise the problem will be dismissed as theoretical. Often there is a lawful way to demonstrate a problem, for example by “breaking in” to your own computer. But sometimes there is no way to demonstrate a problem without breaking the law. Careful researchers will stop and assess the legality of what they’re planning to do, and will hold back if the demo they’re considering breaks the law.

Ms. Balogh went ahead and broke the law. Beyond that (serious) misstep, she did everything right: admitting what she did, avoiding any side-effect on the elections by filing blank ballots, and leaving obvious clues like the paw prints.

Fortunately for her, the prosecutor decided not to charge her with a felony but instead offered to let her plead guilty to a misdemeanor, pay a $250 fine, and do ten hours of community service. She was lucky to get this and will apparently accept the deal.

Any readers considering such a stunt should think again. The next prosecutor may not be so forgiving.

avatar

You Can Own an Integer Too — Get Yours Here

Remember last week’s kerfuffle over whether the movie industry could own random 128-bit numbers? (If not, here’s some background: 1, 2, 3)

Now, thanks to our newly developed VirtualLandGrab technology, you can own a 128-bit integer of your very own.

Here’s how we do it. First, we generate a fresh pseudorandom integer, just for you. Then we use your integer to encrypt a copyrighted haiku, thereby transforming your integer into a circumvention device capable of decrypting the haiku without your permission. We then give you all of our rights to decrypt the haiku using your integer. The DMCA does the rest.

The haiku is copyright 2007 by Edward W. Felten:

We own integers,
Says AACS LA.
You can own one too.

Here is your very own 128-bit integer, which we hereby deed to you:

[can't display integer]

If you’d like another integer, just hit Shift-Reload, and we’ll make a fresh one for you. Make as many as you want! Did we mention that a shiny new integer would make a perfect Mother’s Day gift?

If you like our service, you can upgrade for a low annual fee to VirtualLandGrab Gold – and claim thousands of integers with a single click!

avatar

Miracle Fruit: Tinkering with our Taste Buds

Miraculin, the extract of a West African fruit, is said to make sour foods taste sweet. It’s not sugary, but it’s said to trick your taste buds into misreporting the flavor of the food you’re eating. One of my students, Bill Zeller, bought some miraculin and a group of us tried it out. Here, in the interest of science, is my report.

Miraculin is a lumpy powder, dull red in color, that results from freeze-drying the flesh of the so-called miracle fruit. Here’s about twenty-five grams of miraculin, with a lime for size comparison.

Bill bought fifty grams of miraculin, which came by mail from Ghana. Both Ghana and the U.S. required customs paperwork before the fruit-based product could be shipped. Here’s the Republic of Ghana export permit.

I took a lump of miraculin, weighing a gram or two, and carefully ate it, pushing it around on my tongue as it dissolved.

It didn’t have much taste, and the texture was a bit gummy. Once it was all dissolved I waited a minute or so for the effect to kick in. The effect is said to wear off after about twenty minutes, so it was time for the taste test to begin.

As predicted, the miraculin made sour things taste sweet. Lemon wedges tasted like sweet lemonade. Lime wedges were sweet too. I could still sense the acidity of the fruit, and there was a detectable sour taste but it seemed to be covered over with a pleasant citrus sweetness. I could have eaten whole lemons or limes with no problem.

The grapefruit was stunning, perhaps the best-tasting fruit I have ever eaten. The ones we had were pretty sweet already as grapefruit go, but with miraculin they were distinctly but not overly sweet, and the underlying grapefruit flavor came through beautifully. I had to stop myself from wolfing down several grapefruit.

After the fruit I tried some other foods that were handy. Pizza tasted about the same as usual, though the tomato sauce had a slightly sweet tinge. Diet Dr. Pepper tasted normal. I tried some Indian food – samosas and curried chickpeas – and found the flavor unchanged except that the spiciness was intensified. The normally mild potato-based samosa filling had a spicy kick. Miraculin did nothing for a sweet dessert.

My verdict on miraculin? It’s pleasant and I’m glad I tried it, but it’s not a life-changing experience. I can imagine it becoming popular. It makes some healthy foods taste better, and it’s not too expensive. The amount I had would cost less than a dollar today if you bought in bulk, and there must be unexploited economies of scale.

Thanks to Bill Zeller for getting the miraculin,

to my co-investigators,

and Alex Halderman for taking the photos.

avatar

Is SafeMedia a Parody?

[UPDATE (Dec. 2011): I wrote the post below a few years ago. SafeMedia's website and product offerings have changed since then. Please don't interpret this post as a commentary on SafeMedia's current products.]

Peter Eckersley at EFF wrote recently about a new network-filtering company called SafeMedia that claims it can block all copyrighted material in a network. We’ve seen companies like this before and they tend to have the warning signs of security snake oil.

But SafeMedia was new so I decided to look at their website. My reaction was: what a brilliant parody!

The biggest clue is that the company’s detection product is called Clouseau – named for a detective who is not only spectacularly incompetent but also fictional.

The next clue is the outlandish technical claims. Here’s an example:

Pirates are smart and innovative, and so is Clouseau. Our technology is dynamic, sees through all multi-layered encryptions, adaptively analyzes network patterns and constantly updates itself. Packet examinations are noninvasive and infallible. There are no false positives.

Sees through all encryption? Even our best intelligence agencies don’t make that claim. Perhaps that’s because the intelligence agencies know about provably unbreakable encryption.

Wait a minute, you may be saying. Perhaps SafeMedia was just making the usual exaggeration, implying that they can stop all bad traffic when what they really mean is that they can stop the most common, obvious kinds of bad traffic. Good guess – that’s the usual fallback position for companies like this – but SafeMedia doesn’t shrink from the most outlandish claims of infallibility:

What if illegal P2P no longer worked? What if, no matter how intelligent, devious, or well-funded an Internet pirate was, they absolutely could not transmit copyrighted material via P2P? SafeMedia’s goal was to create the technology that would achieve exactly this. And we succeeded.

Employing our new technology, Clouseau and Windows + Transport Control, makes illegal P2P transmission of copyrighted material impossible. IMPOSSIBLE. Not difficult and not improbable. IMPOSSIBLE!

The next clue that SafeMedia is a parody is the site’s blatant rent-seeking. There’s even a special page for lawmakers that starts with over-the-top rhetoric about P2P (“America is at war here at home within our own borders. And we are taking casualties. Women, men, and children.”) and ends by asking the U.S. government to act as SafeMedia’s marketing department:

We need the Congress to pass legislation appropriating funds for installing the technology on every Federally-supported computer network in the country, most importantly in educational institutions (schools, colleges, universities, libraries)…. We need the Department of Commerce to promote using the technology in all American businesses big and small, and to push for its international adoption. We need the Department of Education to insure that every educational institution in the USA, private and public, primary and secondary, college and university, is obeying the law.

You now have the right weapons. Let’s end the war!

Add up all this, plus the overdesigned home page that makes maddening fingers-on-a-blackboard noises when you mouse over its main menu area, and the verdict is clear: this is a parody.

Yet SafeMedia appears to be real. The CEO appears to be a real guy who has done a few e-commerce startups. The site has more detailed help-wanted ads than any parodist would bother with. According to the Internet Archive, the site has been around for a while. And most convincingly of all, an expensive DC law firm has registered as a lobbyist for SafeMedia.

So SafeMedia really exists and company management thought it a good idea to set up a parody-simulating website and name their product Clouseau. What an entertaining world we live in.

(Thanks to Peter Eckersley for sharing the results of his un-Clouseau-ish investigation of SafeMedia’s existence.)

avatar

Holiday Stories

It’s time for our holiday hiatus. See you back here in the new year.

As a small holiday gift, we’re pleased to offer updated versions of some classic Christmas stories.

How the Grinch Pwned Christmas: The Grinch, determined to stop Christmas, hacks into Amazon’s servers and cancels all deliveries to Who-ville. The Whos celebrate anyway, gathering in a virtual circle and exchanging user-generated content. When the Grinch sees this, his heart grows two sizes and he priority-ships replacement gifts to Who-ville.

Rudolph the Net-Nosed Reindeer: Rudolph is shunned by his reindeer peers for having a goofy WiFi-enabled nose. But he becomes a hero one foggy Christmas Eve by using the nose to access Google Maps, helping Santa navigate to the homes of good children.

Gift of the eMagi: Poor husband and wife find perfect gifts for each other and bid aggressively for them on eBay. Unbeknownst to them, they’re bidding against each other for the same gift. Determined to express their love by paying whatever it takes to get the gift, they bid themselves into bankruptcy.

NSA Claus is Coming to Town: He sees you when you’re sleeping. He knows when you’re awake. He knows if you’ve been bad or good, so be good or go to Gitmo.

The Little DRM-er Boy: A boy wants to share his recorded drum solo with Baby Jesus, but the file is tethered to a faraway computer. With the aid of three downloads from the East, he rips an MP3 and emails it the Mary and Joseph just in time for Christmas Night.

It’s a Wonderful Second Life: George Bailey believes that Second Life would have been better if he had never signed on at all. He jumps off a bridge … and floats slowly to the ground. Clarence Linden, George’s guardian avatar, restores the server backup from before George signed on, and watches with George while griefers run wild. George sees the error of his ways, and Clarence restores his account.

A Vista Carol: Ebenezer “Steve” Ballmer runs a coding shop in Merry Old Redmond. He forces programmer Bob Cratchit to work overtime on Christmas to meet the Vista ship date. At night, Ballmer is visited by three Ghost images: Windows Past, Windows Present, and Windows Future. [Fill in your own jokes here.] The next morning, Ballmer sends Bob home for Christmas, in exchange for a promise to keep his Blackberry on during dinner.

[Thanks to Alex Halderman and my family for help writing the stories.]