I kind of doubt it because this clever high school student worked with a John Hopkins University researcher and used the lab facilities there. It would seem that John Hopkins University would have the intellectual property rights over this invention in the form of a patent.
I believe the motivation for usurping student copyrights is that school boards are notorious for grasping at whatever mechanism that gives them control over students. Suppose a student wrote an essay that, heaven forbid, caused a disruption in school and the community at large. What better way to suppress it, in this internet age where duplication is so easy, by claiming copyright infringement everywhere it appeared. Oh, "fair use" what's that? School boards always have more important considerations in protecting the children.
So, it seems the rationale for phone based browsers always going through a specialized proxy is that the proxy will do the compression and rendering that would tax the limited processor(s) on the phone. The user sees a quicker response time. The rationale for becoming a MITM during an HTTPS session is, again, to allow Nokia servers to the rendering which can only be done for an unencrypted web page and compression which is only effective on unencrypted data. Also, the browser will be smaller if it doesn't have to distinguish HTTPS from HTTP traffic and then do all that rendering and compression itself.
It would have been nice if Nokia, and other smart phone makers, had been more upfront and explicitly pointed out the compromising effect on HTTPS of how they use their proxy servers. I can't say I'm surprised with their attitude of we don't actually eavesdrop so it's all OK. What is a little surprising is how they "fixed" this, supposedly in response to Pandya's blog. They now tunnel the HTTPS connection through an HTTP connection to the proxy. One does not need to use a proxy at all in this case though. Perhaps it was easier and quicker for them to still funnel all traffic to their proxy servers. I don't understand why Pandya notes that this is better but still "bad news" as the HTTPS traffic in this situation provides confidentiality.
This whole issue of compromising the confidentiality of HTTPS traffic should soon be moot as phones, smart phones in particular, incorporate more powerful processors. What is a bit scary is if law enforcement decides that such proxies should be required solely as an eavesdropping point for their purposes. I would be surprised, for any Nokia proxies in the U.S., if law enforcement didn't claim that CALEA required Nokia to store and allow access to compromised HTTPS traffic when a warrant or subpoena was served.
The PCI DSS covers business practices. Conforming business must provide a method to transmit card data securely. If the client decides to defeat that security by going through a proxy that does not tunnel the HTTPS connection then it is not the fault of the business and does not violate the PCI standard. Maybe Nokia isn't explaining well to it's clients that using their phones essentially breaks the confidentiality of all information passed through an HTTPS connection but NOKIA isn't the processor of the card transaction and so doesn't come under the PCI DSS standard. They also claim not to look at or store this information so a business could still claim to be compliant even if they encourage transactions over a NOKIA phone.
The same arguments work for HIPAA. NOKIA is not a health care provider and although they may have potential access, they do not eavesdrop or store the data. A close analogy would be talking to your doctor over the same phone in a voice conversation. Although NOKIA, ATT, or whatever telecom, has potential access to this conversation, they supposedly don't listen in or record such things without a warrant with the small exception of the NSA's nationwide warrantless eavesdropping program which will soon record everything.
I think we have reached a point though where the security practices of communication intermediaries need to be taken into account in such standards as HIPAA and PCI DSS.
Since the cam was taken as evidence, there must be tracking showing all who were in possession of it. The video itself is certainly evidence pertaining to the two charges Henderson has been accused of. One, of at most a handful, of law enforcement officers who handled the camera had to have deleted the video and thus deleted evidence that would have been useful in the trial. The police here have put themselves in a bad situation and I'll bet charges will be dropped before a trial occurs. Recovery of the deleted video would help Henderson's case tremendously.
Although the HIPAA violation is noted in the citation the policewoman handed out Henderson was actually charged with just "obstruction of legal process and disorderly conduct, both misdemeanors". This is enough bullshit on it's own but it looks like the law firm that handles the misdemeanor prosecutions in that county decided the HIPAA violation was just too much bullshit.
In the article, the police claim they didn't delete the video. I am not specifically familiar with digital cam filesystems but if it is close to typical computer filesystems then deletion means just deleting the directory entry. In fact, the directory entry may still be there, and with a timestamp, but just marked as being invalid. It is possible that Henderson could recover the file, but he should try to do this before using the camera further. If he used a computer forensics expert to do this the recovered file could be more convincingly used as evidence in court. If during trial the policewoman testified under oath that she did not delete the video and then evidence was presented that the video was actually deleted, well, that would be perjury proven.
This is currently true which is why it is not so worrisome that they are working on such a standard. Standards have to be adopted and implemented and the ITU, or it's former moniker CCITT, does not have a good record on getting telecom initiated protocols standards adopted in the real internet world. A case in point, the Internet uses the TCP/IP protocol stack rather than a protocol stack based on the OSI Reference Model. The fact that a proposed DPI standard does not take privacy into account only makes it harder for the ITU to have any success in getting the standard adopted.
What is worrisome is if global politics change enough so that ITU can mandate such standards. This is why what happens at the current WCIT meeting and the response of the world outside of their star chamber is so critical. However, I see the most likely path for adopting DPI standards is for individual countries to mandate this ability via laws such as an expanded CALEA in the US. This has to be done in a way that allows the protocol stack to still be interoperable with countries that respect privacy.
I apologize in advance for all the techy acronyms but my time is limited today so I am being lazy in writing this.
I like that story. Not that it matters anymore, but taxi cab storage was probably a bad idea. The disks were undoubtedly the "Winchester" type and when powered down the head would be parked on a "landing strip". Still, subjecting these drives to jolts from a taxi riding over bumps in the road could damage the head or cause it to be misaligned. You would have known though it that actually turned out to be a problem. Also, I wouldn't trust a taxi driver with the company database. Although, that is probably due to an unreasonable bias towards cab drivers. I won't mention the numerous arguments with them (not in the U.S.) over fares and the one physical fight with a driver who nearly ran me down while I was walking.
In this case they were not dealing with unknown malware that was steadily erasing the system as they watched. There was, apparently, a delete event at a single point in time that had repercussions that made things disappear while people worked on the movie. I'll bet things disappeared when whatever editing was being done required a file to be refreshed. A refresh operation would make the related object disappear when the underlying file was no longer available. Apart from the set of files that had already been deleted, more files could have been corrupted when the computer was unplugged. Having said that, this occurred in 1999 when they were probably using the Ext2 filesystem under Linux. These days most everyone uses a filesystem that includes journaling which protects against corruption that may occur when a computer loses power. Ext3 is a journaling filesystem and was introduced in 2001.
In 1998 I had to rebuild my entire home computer system. A power glitch introduced corruption in a Windows 95 system file and use of a Norton recovery tool rendered the entire disk into a handful of unusable files. It took me ten hours to rebuild the OS and re-install all the added hardware, software, and copy personal files from backup floppies. The next day I went out and bought a UPS. Nowadays, sometimes the UPS for one of my computers will fail during one of the three dozen power outages a year I get here. I no longer have problems with that because of journaling.
Oren Jacob, the Pixar director featured in the animation, has made a comment on the Quora post that explains things in much more detail. The narration and animation was telling a story, as in storytelling. Despite the 99% true caption at the end, a lot of details were left out which misrepresented what had happened. Still, it was a fun tale for anyone who had dealt with backup problems. Oren Jacob's retelling in the comment makes it much more realistic and believable.
The terabytes level of data came from whoever posted the video on Quora. The video itself never mentions the actual amount of data lost or the total amount the raw files represent. Oren says, vaguely, that it was much less than a terabyte. There were backups! The last one was from two days previous to the delete event. The backup was flawed in that it produced files that when tested, by rendering,
exhibited errors. They ended up patching a two-month old backup together with the home computer version (two weeks old). This was labor intensive as some 30k files had to be individually checked.
The moral of the story. Firstly, always test a restore at some point when implementing a backup system. Secondly, don't panic! Panic can lead to further problems. They could well have introduced corruption in files by abruptly unplugging the computer. Thirdly, don't panic! Despite, somehow, deleting a large set of files these can be recovered apart from a backup system. Deleting files, under Linux as well as just about any OS, only involves deleting the directory entries. There is software which can recover those files as long as further use of the computer system doesn't end up overwriting what is now free space.
My favorite album that uses a lot of sampling was one of the earliest uses of sampling, Brian Eno and David Byrnes 1981 collaboration on "My Life in the Bush of Ghosts". A brilliant set of songs! I am now wondering if they will see some sort of lawsuit.
A distinction should be made in how school officials can react. Certainly a school should have a program that teaches about bullying (what constitutes bullying, what motivates bullying, and how it can be handled). They could even hold discussions in response to a particular incident. The school is not responsible for a students actions outside of school or school sponsored events. Schools should not usurp the parents authority. When a public school is in session, school officials have a role as a surrogate for the parents or as an extension of the state. Punishing speech or behavior occurring outside of school is beyond their jurisdiction. Perhaps the best response is to inform the parents of any instigator and arrange a conference if the parents agree.
How far does the schools responsibility and authority extend? If a student accesses Facebook from school using the school equipment and internet connection, clearly the school has authority. What if the access is from a students phone during lunch break? What if the student accesses Facebook from a phone while walking or riding home or to the local fast-food joint? The answer to these questions apply not just to bullying behavior but also in the same way to any sort of speech.
In addition to location, let's look at ownership of equipment as a factor in determining the schools authority.
Austin Carroll, the Indiana high school student who was expelled for a profane tweet did this from his home. He used a school issued laptop which was configured to use a school server as a proxy in accessing the internet. After logging in to the school website, which is the home page upon launching the browser, he had access to the internet which appeared to him exactly the same as just going through his local ISP connection. The school claims that their ownership of the laptop and forced routing through the school network gives them the authority to censor his speech as if he was physically at school. Is it enough ownership to claim authority if Austin had used the school laptop and avoided going through the school's network? Would the same logic apply if he used a school issued pencil to write an objectionable sentence? My feeling is schools should only get involved if speech occurs at school or a school sponsored function and, if applicable, using school owned equipment.
When a student is not at school he or she has them same free speech rights as anyone else (I am disregarding, for now, the parents say in the matter). There is no restriction on what people this speech is in reference to. They can talk about teachers, school officials, and other students. The school has no authority here even if the speech rises to libel or slander. The school can, of course, contact law enforcement or the parents playing the role of informer or counselor. Teachers do not have the same freedom, as they have a responsibility to maintain the privacy of students and are subject to restrictions that any other government employee would have.
Like anything valuable, it can be abused. I think having the capability of anonymity on the internet is too important to forgo because there are some criminals, terrorists, pedophiles etc. who would also use it as a tool. They can be caught or stopped in other ways. With global surveillance and data mining quickly becoming a technological possibility, anonymity provides a way for dissidents to communicate, which is an important tool to fight tyranny.
One of the characteristics of TOR is that a message transmitted through the network will travel through node(s) that are not subject to a single country's laws. Also, you personally could host a TOR node. I'm sure there are people who are willing to do this in the US who are motivated not to voluntarily share information with the government.
I am certainly motivated, after reading recent articles on NSA's Bluffdale, Utah facility which included the fact that Stellar Wind uses at least 10 to 20 intercept points in our telecom infrastructure. This certainly has undercut and continues to undercut the 4th amendment I am motivated because CISPA will legitimize, unless it is found contrary to the 4th amendment, arbitrary surveillance leading to a surveillance state. A surveillance state, for sure, provides the tools to protect from terrorism, cybercrime, etc. but at the same time provides the infrastructure for a totalitarian state. I am now motivated and will be sending in my resume tonight to work full time on the TOR project as I saw this week they have a software opening.
If you read the article referenced in this story it is completely understandable that you could come away with the impression it was no coincidence that Bit9 released the survey results while CISPA was being debated and the survey results could be used to support CISPA. I looked further and it seems the survey release may or may not be coincidental but if the timing was intentional Bit9 is only glomming onto any sort of publicity dealing with "cybercrime".
From Bit9's web-site and about the survey: http://www.bit9.com/company/news-release-details.php?id=247
"Despite current plans to implement cyber security legislation, only 7 percent believe that government regulation and law enforcement will best improve security."
"S o how do we protect against these types of attacks while still not infringing on the privacy of the typical user? The legislation is very broad, leaving a lot of wiggle room for the government to acquire information outside of the bill's initial intent. Unlike the USA PATRIOT Act, which allows roving domestic wiretaps, CISPA would grant the government unprecedented access to web company user data and trump already passed (and extended) legislation like the USA PATRIOT Act."
"By putting companies in control, the bill claims to protect each user’s privacy by not mandating private or public web companies to fork over their user data. This would leave companies like Facebook to choose what to do with the information it knows about you as opposed to the government – a little better, but still disconcerting. Facebook, Microsoft, Oracle, Symantec, Verizon and reportedly Google have come out in support of the legislation – a stark contrast to the public and company protests regarding SOPA and PIPA."
"But most of these brands do not have a great track record of protecting user privacy to begin with. So the fact that they embrace support for this bill is a far cry from an authoritative endorsement of user privacy protection. The bill may be an "opt-in" legislative measure, but who is to say that both parties (the government and corresponding companies) can't both mutually benefit from the sharing of private information? This may now give companies the ability to barter private information with the government in exchange for corporate influence."
I would say this shows that Bit9 does not support CISPA. It does show that you often need to look past a single blog's summary of an event or publication, particularly if you are going to make a presumption, about Bit9 and CISPA here, that the blog does not make.
Nice summary of botnets Rich. I would like to point out one aspect of botnets you did not mention. I don't have the time today to track down a reference, but my memory tells me that a large portion of botnet zombies become zombies because the user does not update their OS or application software to patch security vulnerabilities and/or they do not have anti-malware software installed. There is a correlation between pirated versions of Windows and malware infection. This could be due to the end-users risky behavior in general, by downloading software from any source and blindly trusting it not to be malware, or the end-users mistaken perception that Microsoft insists on applying security updates to only validated versions of MS software.
This is not to say that fully updated systems running anti-malware and IDS systems cannot be infected. They can. However, it is more likely that a system that is not updated will be infected. This makes anti-malware software useful in limiting the size of botnets. Otherwise, why isn't everyone's computer part of some botnet? Frankly, I don't know how to convince people to keep their computers updated, but wider adoption of this practice would limit the size of botnets further. In addition, takedowns of botnets like Zeus and Kelihos is a new technique that pushes the balance further toward limiting the spread of botnets.
One thing for sure, as you say, the problem of botnets will not be fixed through legislation and is not a valid argument in support of CISPA.
I am always skeptical of what Richard Clark says but I would not dismiss everything he says out of hand. I assume that he is always selling something, and to me, his worst fault is intentionally distorting the context or importance of the things he talks about. The following is a short video he did for Bit9 discussing this survey. http://www.youtube.com/watch?v=rnnxFPOKHKU&feature=relmfu
In this, he categorizes the different motivations for attacks well (CHEW - crime, hacktivism, espionage, and war). Surprisingly, he downplays the threat of war by saying it doesn't go on very much. I imagine, that apparent change in his thinking is motivated by who he is currently representing. He emphasizes espionage as being the most important concern. Despite the cover photo for the video being the, Anonymous adopted, Guy Fawkes mask from "V for Vendetta", Clark doesn't seem too concerned about hacktivism here.
Richard Clark, former advisor to 3 presidents including National Coordinator for Security and Counterterrorism, and Special Advisor to the President for Cyber Security, is on the board of directors for Bit9 which is the company that conducted this survey. This is not terribly surprising though. I would not expect congress members to be involved because this company is a technology company providing security software and appliances. US government agencies could be a customer but as their survey emphasized, the solutions IT professionals see for security are not more government regulations and more law enforcement but technological tools to protect against cyberattacks (i.e. what Bit9 sells). Not much use for lobbying here.
There was an incident in Britain, which already has a law similar to the CFAA in the US, where Glenn Mangham was sentenced several weeks ago to 8 months in jail for doing security research. He found a security vulnerability in Facebook and collected evidence (internal Facebook documents and code) to present to Facebook as proof of the vulnerability. Despite the judge in his case stating:
"I acknowledge ... that you never intended to pass any information you got through these criminal offences to anyone else and you never did so, and I acknowledge that you never intended to make any financial gain for yourself from these offences,"
he was found guilty and sentenced to jail time under Computer Misuse Act despite having no criminal intent associated with his actions. The EU Cybercrime bill not only would allow this kind of abuse across all of Europe, it would be worse than the CMA or the US CFAA.
Peer to peer protocols will be of no benefit to DNS whether they use the current root or an alternate one. The main benefit of peer to peer is relieving bandwidth requirements on what would otherwise be the sole source of distribution. That benefit comes when the files being distributed are sizable. DNS records, even ones with certificates, are not very big. The response to a root query is contained, by design, in a single 512 byte IP packet. This is why there are only 13 root servers. (Yes, I know this is amplified by anycast and load balancing to some 242 physical root servers).
The other main benefit of peer to peer protocols is redundancy and a distributed architecture. DNS already is structured to be redundant and distributed in other ways. The contents of the root zone file is determined at a single point, but the distribution of these contents is indeed, redundant and distributed.