November 27, 2024

Posts Comments

Lawyers, Lawyers Everywhere

March 23, 2004 by

Frank Field points to an upcoming symposium at Seton Hall on “Peer to Peer at the Crossroads: New Developments and New Directions for the Law and Business of Peer-to-Peer Networking”. Here’s a summary from the symposium announcement:

This Symposium will review recent developments in the law and business of peer-to-peer networks, with a view to determining where the law is going and where it should go. We will examine both the theoretical and practical implications of recent decisions and legislative initiatives, and will offer different perspectives on where the intersection between P2P technology and the law should lie. Our panelists include scholars and practitioners as well as representative from the U.S. Copyright Office.

This sounded pretty good. But reading the announcement more carefully, I noticied something odd: the speakers are all lawyers. If you’re having a conference whose scope includes business and technology, it seems reasonable to have at least some representation from the technology or business communities. Maybe on the panel about “Business Models, Technology, and Trends”?

Now I have nothing against lawyers. Some lawyers really understand technology. A few even understand it deeply. But if I were running a conference on law and technology, and I invited only technologists to speak, this would be seen, rightly, as a big problem. It wouldn’t be much of an excuse for me to say that those technologists know a lot about the law. If I’m inviting ten speakers for a conference on technology and the law, surely I have one slot for somebody whose primary expertise is in the law.

Yet the same argument, running in the other direction, seems not to apply sometimes. Why not?

Filed Under: Uncategorized

Security Attacks on Security Software

March 22, 2004 by

A new computer worm infects PCs by attacking security software, according to a Brian Krebs story in Saturday’s Washington Post. The worm exploits flaws in two personal firewall products, made by Black Ice and Real Secure Internet. Just to be clear: the firewalls’ flaw is not that they fail to stop the worm, but that they actively create a hole that the worm exploits. People who didn’t buy these firewalls are safe from the worm.

This has to be really embarrassing for the vendor, ISS. The last thing a security product should do is to create more vulnerabilities.

This problem is not unique. Last week, another security product, Norton Internet Security, had a vulnerability reported.

Consumers are still better off, on balance, using PC security products. On the whole, these products close more holes than they open. But this is a useful reminder that all network software caries risks. Careful software engineering is needed everywhere, and especially for security products.

Filed Under: Uncategorized Tagged With:

Gleick on the Naming Conundrum

March 20, 2004 by

James Gleick has an interesting piece in tomorrow’s New York Times Magazine, on the problems associated with naming online. If you’re already immersed in the ICANN/DNS/UDRP acronym complex, you won’t learn much; but if you’re not a naming wonk, you’ll find the piece a very nice introduction to the naming wars.

Filed Under: Uncategorized Tagged With:

New Survey of Spam Trends

March 19, 2004 by

The Pew Internet & American Life Project has released results of a new survey of experiences with email spam.

The report’s headline is “The CAN-SPAM Act Has Not Helped Most Email Users So Far”, and this interpretation is followed by the press articles I have seen so far. But it’s not actually supported by the data. Taken at face value, the data show that the amount of spam has not changed since January 1, when the CAN-SPAM Act took effect.

If true, this is actually good news, since the amount of spam had been increasing previously; for example, according to Brightmail, spam had grown from 7% of all email in April 2001, to 50% in September 2003. If the CAN-SPAM Act put the brakes on that increase, it has been very effective indeed.

Of course, the survey demonstrates only correlation, not causality. The level of spam may be steady, but there is nothing in the survey to suggest that CAN-SPAM is the reason.

An alternative explanation is hiding in the survey results: fewer people may be buying spammers’ products. Five percent of users reported having bought a product or service advertised in spam. That’s down from seven percent in June 2003. Nine percent reported having responded to a spam and later discovered it was phony or fraudulent; that’s down from twelve percent in June 2003.

And note that the survey asked whether the respondent had ever responded to a spam, so the decrease in recent response rates would be much more dramatic. To understand why, imagine a group of 200 people who responded to the latest survey. Suppose that 100 of them are Recent Adopters, having started using the Internet since June 2003, and that the other 100 are Longtime Users who went online before June 2003. According to the previous survey, seven of the Longtime Users (i.e., 7%) bought from a spammer before June 2003; and according to the latest survey, only ten of our overall group of 200 users (i.e., 5%) have ever bought from a spammer. It follows that only three of our other 190 hypothetical users responded to a spam since June 2003, so that spammers are finding many fewer new buyers than before.

A caveat is in order here. The survey’s margin of error is three percent. so we can’t be certain there’s a real trend here. But still, it’s much more likely than not that the number of responders really has decreased.

Filed Under: Uncategorized Tagged With:

ATM Crashes to Windows Desktop

March 18, 2004 by

Yesterday, an ATM in Baker Hall at Carnegie Mellon University crashed, or had some kind of software error, and ended up displaying the Windows XP desktop. Some students started Windows Media Player on it, playing a song that comes preinstalled on Windows XP machines. Students took photos and movies of this.

There’s no way to tell whether the students, starting with the Windows desktop, would have been able to eject the ATM’s stock of cash. As my colleague Andrew Appel observes, it’s possible to design an ATM in a way that prevents it from dispensing cash without the knowledge and participation of a computer back at the bank. For example, the cash dispensing hardware could require some cryptographic message from the bank’s computer before doing anything. Then again, it’s possible to design a Windows-based ATM that never (or almost never) displays the Windows desktop, failing instead into a “technical difficulties – please call customer service” screen, and the designers apparently didn’t adopt that precaution.

A single, isolated failure like this isn’t, in itself, a big deal. Every ATM transaction is recorded and audited. Banks have the power to adopt loss-prevention technology; they have good historical data on error rates and losses; and they absorb the cost of both losses and loss-prevention technology. So it seems safe to assume that they are managing these kinds of risks rationally.

Filed Under: Uncategorized Tagged With: