Feed aggregator

Lilbits (2-02-2015): Tablet shipments are down

Liliputing -

A little over 76 million tablets and 2-in-1 devices were shipped in the last quarter of 2014 according to research firm IDC. That sounds like a lot of tablets… until you realize that it marks a 3.2 percent decline from the same period a year earlier. That’s the first time IDC has seen a year-over-year decline […]

Lilbits (2-02-2015): Tablet shipments are down is a post from: Liliputing

Groundhog bites Wisconsin mayor’s ear

RT -

The mayor met with “Jimmy” the groundhog on early Monday, – Groundhog Day – to see if the rodent, as per annual tradition, could see its own shadow and thus determine whether or not spring would come early to the southern Wisconsin town.

Not only did Jimmy predict six more weeks of winter, according to its handlers, but he also made a meal out of Mayor Freund’s ear.

Local news networkers covering the Groundhog Day festivities caught Jimmy chomping on his ear live on camera, and video footage of the incident has since started circulating online.

Post by WISC-TV / Channel 3000.

The Associated Press reported that the mayor initially misinterpreted the groundhog’s prediction and said spring would come early this year. Jimmy’s handlers, Jerry and Maria Hahn, then corrected the mayor and said it was the opposite, but the city of Sun Prairie ultimately settled the dispute by insisting in an official statement that only the mayor can interpret the groundhog.

Across the United States in Pennsylvania, America’s most famous weather-predicting groundhog, Punxsutawney Phil, similarly surmised there’d be another month and a half of winter after seeing his own shadow early Monday.

This Song (Still) Belongs to You and Me

EFF's Deeplinks -

Between all the Super Bowl football action yesterday, one commercial seemed to have caught a lot of people's attention: to promote its smallest SUV, Jeep showed images of it all over the country, then the world, to the tune of Woody Guthrie's "This Land Is Your Land."

One reason people are discussing it is because appearing in a commercial would seem to run against the late Guthrie's values. Would Guthrie have ever allowed the song to be licensed to Jeep, and for a Super Bowl commercial?

The answer is that nobody had to license it. Ten years ago, EFF set out to defend an online political parody set to "This Land Is Your Land," by arguing that it was a fair use. Instead, we discovered through the course of litigation the song actually entered the public domain in 1973, and today there are no restrictions on its use. That means that organizers that share Guthrie's politics—and yes, companies like Jeep—are equally free to use the song.1

Of course, even when his songs were restricted by copyright, Guthrie was famously permissive. Just look at his Copyright Warning from the 1940s:

This song is Copyrighted in U.S., under Seal of Copyright # 154085, for a period of 28 years, and anybody caught singin it without our permission, will be mighty good friends of ourn, cause we don’t give a dern. Publish it. Write it. Sing it. Swing to it. Yodel it. We wrote it, that’s all we wanted to do.

Given the duration of copyright terms and the control many artists and publishers try to exert, it can seem like any use is an endorsement. But Woody Guthrie preached the value of sharing freely—and when it came to his music he practiced it, too.

  • 1. There are a few caveats here. For one, this recording of the song needs to be licensed. For another, our client settled its case after we made the public domain discovery. Even though we documented the timeline by which the song entered the public domain, it's possible that the publisher Ludlow Music still requests—and receives—licensing fees. Finally, there are a few variations of the composition, and some may still have copyright restrictions.
Related Issues: Fair Use and Intellectual Property: Defending the BalanceRelated Cases: JibJab Media v. Ludlow Music ("This Land"Parody)
Share this:   ||  Join EFF

7 Things To Love About reddit’s First Transparency Report

EFF's Deeplinks -

Here’s something that merits a lot of reddit gold.

On Thursday, reddit published its first-ever transparency report covering all of 2014. It’s a summary of all the legal requests to take down content from the site as well as all government attempts to access reddit’s user data.

Lots of companies publish transparency reports, but not all of them do a good job. We took some time to look at exactly what reddit’s report included and found a whole bunch of stuff that impressed us. Here’s an overview of why you might be equally thrilled with the report.

  1. Published within 30 days of the reporting period. Lots of companies will publish transparency reports that cover a time period ending several months prior (for example, the transparency report will cover a period ending in December but the report itself won’t be published until March or April). Not reddit. Its transparency report covers all of 2014 and was published in the first month of 2015. That means more recent, and potentially more relevant data.
  2. Warrant for content. reddit won’t hand over user data for a law enforcement officer who gets his boss to sign off on a subpoena. Instead, reddit insists on a judge-ordered warrant—based on probable cause—before handing over content. reddit states: “reddit requires a search warrant based on probable cause to disclose user content information, which includes private messages and posts/comments that have been deleted or otherwise hidden from public view."
  3. Telling users about government requests. When it comes to protecting users, one of the strongest policies a company can adopt is to always inform users about a government request for their data. While there are a few occasions when a company may be legally prohibited from disclosing a government request, or where an imminent physical or injury requires expedient response, it’s a good rule of thumb to let users know about requests so they can seek legal counsel and fight back. reddit nimbly makes this pledge, stating: "Many government requests we receive contain demands to withhold notice from users that carry no legal weight. We actively disregard these non-binding demands. Our goal is to give users the information they need to seek legal advice before their records are disclosed. As stated in our privacy policy, we provide advance notice to affected users unless prohibited by a court order or where we decide delayed notice is appropriate based on clear criteria."We think this is great, but there's some room for improvement here. reddit should make explicit that in an emergency situation, it will still inform users about government data request after the emergency is concluded (we call this post-hoc notification).  This is implied with reddit's current statement, but could be even more explicit.
  4. All emergency requests in writing. In an imminent emergency –where there is threat of serious bodily harm or death—there are occasions when law enforcement will approach companies and ask them to turn over user data. Companies like to leave themselves flexibility to respond if it could mean potentially saving a life. We recommend that in such situations, companies always get a statement in writing from law enforcement, and reddit does exactly that, stating: "When notified of an emergency situation by law enforcement, we require that they provide as much information as possible and certify the request in writing."
  5. A warrant canary. While still an untested legal theory, a warrant canary basically means that a company is publicly pledging that it has not received a national security order or letter. If it does receive such process, it will be gagged from disclosing the fact. The idea with a warrant canary is that if a company were to delete this statement (or not publish it in future reports), a meticulous reader would notice and be able to raise an alarm. reddit added a warrant canary to its report, noting "As of January 29, 2015, reddit has never received a National Security Letter, an order under the Foreign Intelligence Surveillance Act, or any other classified request for user information."  
  6. A strong stance against mass surveillance. As it reminds us in its transparency report, reddit and dozens of other companies and organizations publicly opposed mass, warrantless surveillance, signing a letter that said "This type of blanket data collection by the government strikes at bedrock American values of freedom and privacy. This dragnet surveillance violates the First and Fourth Amendments of the U.S. Constitution, which protect citizens’ right to speak and associate anonymously and guard against unreasonable searches and seizures..."
  7. No defamation takedowns. According to the report, reddit received 33 requests to remove content that didn’t have to do with copyright or trademark infringements, and reddit states that many of these have to do with alleged defamation. reddit stood by its users and refused to comply with any of these requests.

We’re impressed by reddit’s first transparency report. In fact, the report tracks remarkably closely to EFF’s annual Who Has Your Back report, which rates companies on factors like requiring a warrant for content and informing users about government data requests. While we have no way to know whether reddit could have done more to fight government requests for user data, we can say with certainty that it adopted industry best practices in first-ever transparency report.

When companies publish transparency reports, they take an uncomfortable step. They shine light on how vulnerable our digital lives are to the legal (and extra-legal) machinations of governments and corporations who wish to surveil and censor digital denizens. No company is legally obligated to publish such a report, and it's possible that users could be so upset by the data in a transparency report that they might be hesitant to use an online service. Nonetheless, reddit and dozens of other companies are still choosing to publish transparency reports, often with great detail.

The end result? We know a little bit more about government attempts to seek access to our digital lives. We see a little more clearly the work of copyright and trademark in taking speech off the Internet. And there is a hope that this transparency may even cause government to pause and reconsider before sending egregious demands for user data, knowing their requests will one day see the light of day and could well be met with resistance.

Related Issues: PrivacyTransparency
Share this:   ||  Join EFF

EFF Joins Coalition to Launch Canarywatch.org

EFF's Deeplinks -

"Warrant canary" is a colloquial term for a regularly published statement that an internet service provider (ISP) has not received legal process that it would be prohibited from saying it had received, such as a national security letter. The term "warrant canary" is a reference to the canaries used to provide warnings in coalmines, which would become sick from carbon monoxide poisoning before the miners would—warning of the otherwise-invisible danger. Just like canaries in a coalmine, the canaries on web pages “die” when they are exposed to something toxic—like a secret FISA court order.

Warrant canaries rely upon the legal theory of compelled speech. Compelled speech happens when a person is forced by the government to make expressive statements they do not want to make. Fortunately, the First Amendment protects against compelled speech in most circumstances. In fact, we’re not aware of any case where a court has upheld compelled false speech. Thus, a service provider could argue that, when its statement about the legal process received is no longer true, it cannot be compelled to reissue the now false statement, and can, instead, remain silent. So far, no court has addressed this issue.

But if you’re not paying attention to a specific canary, you may never know when it changes. Plenty of providers don’t have warrant canaries. Those that do may not make them obvious. And when warrant canaries do change, it’s not always immediately obvious what that change means.

That’s why EFF has joined with a coalition of organizations, including the Berkman Center for Internet and Society, New York University’s Technology Law & Policy Clinic, and the Calyx Institute to launch Canarywatch.org. The Calyx Institute runs and hosts Canarywatch.org.

Canarywatch lists the warrant canaries we know about, tracks changes or disappearances of those canaries, and allows users to submit canaries not listed on the site. For people with interest in a particular canary, the site will show any changes we know about. The page’s FAQ explains the mechanics and legal theories underpinning warrant canaries. It also has an anatomy of a canary that, since canaries come in so many different forms, helps anyone understand what they’re seeing when they look at a particular canary.

Warrant canaries are a unique tool ISPs have to provide users with more transparency about the government requests they do, and do not, receive. We hope the site will educate, improve the usefulness of warrant canaries for the general public, and help people with a special interest in canaries track them.

Related Issues: National Security LettersNSA Spying
Share this:   ||  Join EFF

Who Really Owns Your Drones?

EFF's Deeplinks -

If there's anything creepier than a drone flying up to your home and peering through your window, it's the thought of your technology—your cellphone, laptop camera, car radio, or even an implanted medical device—being turned on you for an even more intimate view of your private life. But the reaction last week to a drunken government intelligence agent borrowing his buddy's drone and crashing it into the White House lawn is a reminder that shortsighted solutions to the first problem could exacerbate the second.

As the White House reacted to the drone crash with a call for more regulation, the manufacturer of the downed quadcopter announced it would push a firmware update to all its units in the field, permanently preventing those drones from taking off or flying within 25km of downtown Washington DC.

This announcement may have been an effort by the manufacturer DJI, whose Phantom model is one of the most popular consumer drone units, to avoid bad press and more regulation. But it also reinforced the notion that people who "own" these drones don't really own anything at all. The manufacturer can add or remove features without their agreement, or even their knowledge.

In this case, there are reasons to restrict the airspace above Washington, DC, so DJI’s unilateral action may find support in community norms. But its action also underscores how your ownership of the stuff you buy is overridden by the manufacturer's ability to update or change it—a phenomenon that is proliferating to anything with a networked computer. In 2015, that's a huge portion of the things in your life.

In the world of gadgets, this has become a well-known problem. Nearly five years ago, for example, Sony made headlines by pressuring Playstation users to install an update that removed their ability to run unapproved software. People had been able to install GNU/Linux, and had even combined Playstations to assemble powerful supercomputers. Sony removed that feature from consoles in people's homes.

A more alarming example may be your car. New cars come with numerous on-board computers that can be reprogrammed—but not usually by you, the owner. Tesla made waves last week by "texting" new code to its cars, updating an algorithm to improve acceleration. But the gee-whiz quality of that upgrade should be tempered by some more uncomfortable realities.

One is a report in the New York Times last September, which documented the practice among lenders to install GPS trackers and "starter interrupt" devices to remotely locate and disable cars when, say, somebody falls behind on payments or drives outside of a certain area. The Times tells the story of a woman who couldn't bring her daughter to the hospital because she was three days late with a payment, and another of a woman whose car was found and towed a day after she left the agreed-upon radius in order to flee an abusive boyfriend.

These examples are from companies changing the products they control because it's in their self-interest to do so. But of course, the threat is not just from the manufacturer, but from anybody who can compel, coerce, or compromise its ability to issue those remote updates. These possibilities are not hypothetical. BMW announced just last week it would be fixing a vulnerability in its cars that would allow an attacker to hijack a remote unlock mechanism. And over a decade ago, the FBI attempted to take over OnStar voice-operated dashboard computers to snoop on drivers—a plan only foiled because it would have interfered with emergency operations of the devices. The government's ability to use official update channels for their own ends too goes back years, as revealed by examinations of the Stuxnet malware.

Fundamentally, the problem here is a system where users don't have control over the technology they own and rely upon. That's not just about a certain technological architecture; it's about the legal system that props it up. In this case, one major problem is the anti-circumvention provision of the Digital Millennium Copyright Act (DMCA), which exists to support DRM software.

Without those DRM laws, users could replace the firmware on their devices with new software that was trusted and auditable. But instead, the law casts a shadow of doubt on users that would modify that software, researchers that would examine it for security vulnerabilities, and companies that would create competitive alternatives. It's a law that's overflowed its banks, affecting technology that touches almost every aspect of our lives.

For evidence of that legal excess, look no further than the list of exemptions proposed in the DMCA's currently ongoing triennial rulemaking process. From security researchers worried that the DMCA keeps them from uncovering life-threatening vulnerabilities, to the Software Freedom Conservancy's request to access the operating system of so-called Smart TVs, to many, many others, it's clear this law is no longer about "content," but about control. Control that's being denied to users.

(Yes, we're requesting exemptions for people to be able to repair and conduct security research on cars. Sign our petition to support those requests.)

The fate of small drone flights over DC may seem like a little thing—a spat worked out among private players. But these small battles shape the notion of what it means to own something and illustrate the growing control of manufacturers over user conduct.

Related Issues: DMCADMCA RulemakingDRMRelated Cases: 2015 DMCA Rulemaking
Share this:   ||  Join EFF

The Key Ceremony: Auditable Private Key Security Practices

Bitcoin Magazine -

While many companies in the Bitcoin space are working on the “killer app” that will drive mainstream consumer adoption, at Armory we are working on the “killer app” for institutional adoption: insurance. There are few investments that financial institutions can make that have the all-or-nothing security properties of a Bitcoin wallet.

Many proponents tout the benefits of irreversible Bitcoin transactions for consumers and merchants, but at the enterprise level irreversibility can actually be quite scary. Business-to-business transactions are rarely anonymous, and the legal system provides sufficient pressure for parties to behave.

However, the legal system will not be of much help if those coins disappear due to accidental destruction or an anonymous security breach. In our experience with institutions, this is a critical barrier to entry. And getting institutions involved is a critical milestone for mainstream Bitcoin adoption.

Insurance can solve these problems, and a strong backbone of insured storage options could be a catalyst for both consumers and businesses to take Bitcoin more seriously. But getting insured is no easy task in such a new and high-stakes technology field.

Imagine you are an insurance underwriter being asked to price a policy for full coverage of a $100 million bitcoin wallet held by a company whose name you don’t recognize. In your first meeting with them they claim, “We are using all the most advanced technology to store our coins!” They use all the Bitcoin security buzzwords: “cold storage,” “multi-sig,” and “fragmented backups.”

Would that alone comfort you enough to risk $100 million for a small premium?

How do you know that they are actually using cold storage and multi-sig in their setup?

How do you know backups are created and secured properly (and not on Dropbox)?

How do you know an employee or executive did not rig the software or hardware to essentially steal the wallet before it was even created?

Cold storage and multi-sig are important concepts in Bitcoin security, but conceptual security alone is not enough. We want operationally transparent, auditable security. And it all starts with the “Key Ceremony.”

Key Ceremonies are not new. They have actually been used for 20 years to ensure integrity of some of the most valuable cryptographic key material in the world. This includes keys that protect the backbone of the Internet, and keys held by governments used to issue and verify passports. Our goal at Armory has been to bring these established, high-integrity processes into the Bitcoin space. This is important in so that organizations can manage their own risk, but especially important to the insurance companies whom we believe will help enable traditional institutions to become Bitcoin holders.

Key ceremonies are typically tailored to the organization and the value of the key material. However, in the most extreme cases, they are performed in a secure room with video cameras, witnesses, lawyers, notaries, and company executives.

The goal is not to only create the sensitive key material, but to reach an overwhelming consensus that they are generated in a cryptographically secure manner, and that no one could have made unauthorized copies. The process can ultimately include the following:

• Those who ultimately manage the keys and key backups are identified, documented, and their responsibilities are made clear.

• The authenticity of all hardware and software is verified before it is used for secure operation.

• Tamper seals are applied to all secure devices, and tamper-evident bags are used to detect any tampering or copying of sensitive backup data after they leave the ceremony room.

• The display of the secure computer is mirrored on large monitors for all witnesses and video cameras to observe every keystroke and mouse click during the key ceremony.

• The videos from the ceremony are archived to be reviewed/audited by third-parties, and possibly as part of an investigation if funds go missing unexplained.

Keep in mind, that in a cold-multisig wallet arrangement, each site will have to independently carry out its own key ceremony. In our conversations with insurance representatives, the best way to decentralize the security model is to have different independent companies managing the coins.

The company that owns the coins would not even have the ability to move the coins by themselves. Nor would any other company. Authorizing transactions would require other signers to get recorded video confirmation from executives with authority over the wallet, enabling traceability and auditability of the ongoing operation.

Not all companies need this level of rigor. But a “full-paranoid” solution needs to exist if Bitcoin is going to see the entrance of global corporations who would be managing billions of dollars worth of bitcoins. A strong key ceremony as outlined above is only the start of an enterprise end-to-end security solution.

The post The Key Ceremony: Auditable Private Key Security Practices appeared first on Bitcoin Magazine.

This week on Decentral Talk Live

Bitcoin Magazine -

Bitsquare is an open source, completely decentralized bitcoin exchange. Founder and developer, Manfred Karrer, discusses his project and his ideals with Ethan Wilding and guest host, Hai Nguyen. Bitsquare is based on the concept of “no single point of failure” and decentralization. Karrer also discusses the concept of peer-to-peer arbitration.

Andrew Lee of purse.io answers questions partially sourced from the bitcoin community. Purse.io’s model of selling Amazon giftcards for bitcoins is both controversial and exciting for people who want to buy bitcoins without going through the lengthy verification processes associated with exchanges. It also facilitates purchases through Amazon at a discount for people who want to shop with bitcoin. The DTL audience sent in some hard-hitting questions, and Andrew Lee has promised to answer them “head-on.”

Other guests this week will include Gerald Cotten of the Canadian exchange, QuadricaCX, as well as Mitchell Callahan, founder of Saucal, a marketing and brand development company that integrates bitcoin into its clients’ growth strategies.

Check out past videos at decentral.tv.

The post This week on Decentral Talk Live appeared first on Bitcoin Magazine.


Subscribe to debianHELP aggregator