For an interesting example of how to respond to the new environment, have a look at the Northshire Bookstore (http://www.northshire.com/). Northshire is located in Manchester, Vermont - a fairly small community surrounded by smaller communities, many poor. But Manchester is a tourist hub - there's a ton of skiing in the area, and many resorts that get summer traffic as well. The town is a tourist shopping hub. Many years ago, it was filled with locally owned store; for the last ten years or so, the major chains have taken over with outlets. The outlets are fading a bit; we'll see what replaces them.
Northshire has been there through all the changes. The store expanded a couple of years ago, and is, in total footprint, comparable to a medium-sized B&N. But since it started life in what was probably once a hotel, and added rooms here and there, it doesn't *feel* huge - it feels like a bunch of rooms. And it specializes in providing an experience: Knowledgable, friendly staff; regular talks by authors; special displays by local writers; little notes on the shelves from bookstore employees describing their favorites; etc.
Northshire has had a book printing machine (I don't know who makes it) for a couple of years. They also started selling on-line a while back.
I have no connection with the store, other than as a long-time customer: We vacation nearby a couple of times a year, and as a family tradition always include a visit to Northshire on every trip. The store has been busy every time we've been in there. And we always leave with a large collection of new books. In fact, we used to have Borders near us at home. We realized that we almost never went there: Books we needed "quickly" came from Amazon; books that were the result of browsing came from Northshire. Borders just kind of faded from our lives (though we do miss knowing it's there).
I hope Northshire's external appearance of success don't conceal inner dry rot. It's been a tough couple of years for many of the Manchester vendors, and they haven't had to deal with the technological changes in the book business.
As far as I can see, not a single comment here so far is from a person in a position to judge whether targeting works. That's because "works" is measured by *the customer who bought the ads*, not by *the person receiving them*.
Advertising is a game of statistics. No matter what medium you use, most ads will be completely ignored by the vast majority of people who see them. That's a reality that businesses have had to accept for years - there's even an old joke to the effect that "Half my advertising money is wasted. If only I knew which half!" In fact, if you consider an ignored ad "wasted money", the fraction "wasted" is over 99%. The only way to judge whether advertising is actually effective is to compare profit - income minus expenses, where expenses includes ads - for different amounts of advertising. Not easy to do, but most businesses have concluded that "wasting" money on ads is actually a worthwhile investment.
Because the actual fraction of ads that pay off is so small, it takes only a tiny increase in the absolute number to make a big difference. Suppose you ran an ad that a million people saw, and it brought in 100 customers you wouldn't have otherwise bought your product. (In most situations, that would be an incredibly successful campaign.) Now suppose targeting doubles that to 200 new customers.
Initially, of the million people who saw the ads, 100 thought they were relevant, while 999,900 thought they were not. With targeting, 999,800 thought they were not. So if you ask those who received the ads whether they got relevant ads, you'll reach the conclusion that an absolutely overwhelming percentage did not. Obviously, targeting *doesn't work*.
And yet, doubling the number of customers the ad brings in is an impossibly high improvement. Advertisers would kill to get it. More to the point - they'd pay a great deal of money to whoever could deliver numbers like that. Obviously, targeting *does* work!
Forbes picked up on this with two articles. One pretty much summarized what the Times said; the other looked into the question of what limits there were on Target should they decide to sell this data. Their conclusion: At present, pretty much none. That data is Target's to do with as they like. Were they to have a privacy policy, they would be bound by it - but they've never published one.
One person they spoke to is certain that this will soon change - that within 5 years, there might be limits on what data Target can collect, and there will certainly be limits on what they can sell. I pretty sure that's true.
By the way, it's important to keep in mind that Target - and every other company that does targeted advertising - always emphasizes that the positive value to the customer in delivering ads that describe products they might actually need. But that's of course not why the companies are doing this. The point is to sell more products. In fact, it's pointed out in these articles that the reason Target is so interested in discovering pregnant women and marketing to them is that it's long been known that young families tend to "bond" to certain brands (and likely places to buy them). Get them early and they'll keep coming back. Those early special discounts will be repaid many times over by full-price purchases.
Is there something wrong with this? Probably not, but just as there's a line where "clever" becomes "creepy", there's a line where "attractive" becomes "manipulative". It's never clear where the line is until after you've crossed it.
Many years ago, the group I worked for at a large company moved to a brand new facility. There was a committee that helped in designing various amenities, like the cafeteria. One decision was on the color. A consultant on the matter recommended (I think) yellow, because studies had shown that people bought more food in a yellow cafeteria. OK … but who is going with yellow good for? It's certainly good for the company running the cafeteria; but for everyone else working there, probably not. Whenever you see clever ideas like data mining to find pregnant women … ask yourself: Cui bono? Who benefits?
"We spent millions to put in that new safety system, and it's been totally wasted - we haven't had an accident in two years!"
It's very nice to say that "the free market" eliminated Microsoft IE's near-monopoly on browsers - but it's a misreading of history. No real "free market" existed, either before or after the change.
*Before* the change, Microsoft made a number of monopolistic moves. Windows represented virtually the entire PC market, and was impossible to attack: The deal offered to hardware vendors by Microsoft was "If you want a reasonable price for Windows, you have to agree to pay *per unit shipped*, whether a unit has Windows on it or not." Windows itself had IE6 embedded. You could, if you were technically adept, install another browser - but IE6 had to stay, because various other pieces of Windows (deliberately) relied on it.
*After* the change, Microsoft was under government scrutiny and regulation. They were forced to modify Windows to yank out dependencies on IE. More important, they were forced to offer users a choice of browsers during installation. There was no user demand for any of this, because the majority of users never even knew there was an issue.
If you look at things strictly from the point of government regulation, the market was "free" before the anti-trusts moves, and what Microsoft did was simply sharp-elbowed competition. That's a principled position, if one not shared by most people. You can argue, purely on market theory grounds, that Microsoft's moves were, in the long run, going to leave an opening for competitors to take the market from them. What you *can't* argue is that IE6's decline *proves* that pure market competition would have been sufficient - because it wasn't pure market competition that did the trick.
A meaningless comparison. Key length is one of those obvious things - after all, it's just a number and bigger is clearly better, right? - that leads people astray all the time. The thing to keep in mind is that what matters is not the *number of bits in the key*, it's the number of possible distinct keys. If I told you "I use AES-256 for absolute security, but it's easy for me to remember the key: I only choose keys between 1 and 1000" - well, that's obviously not very secure: You can guess my key in at most 1000 tries!
For a system like AES, every possible 128 (or 192 or 256) bit combination is a valid key. The strength of the system (against a brute force attack!) can be read directly off the number of bits. No conceivable computer will ever be able to attack a 256-bit key, and personally I cannot imagine a situation where a 128-bit key could be brute-forced.
For a system like RSA, only very special combinations of bits correspond to valid keys. An AES key is just a bunch of bits, while an RSA key, as a number, has to be product of exactly two prime numbers in a particular range, with special properties to boot. Even then, there would be too many values to try in a pure brute force fashion- but because of the necessary mathematical properties of an RSA key, no one does that. Instead, they use more efficient techniques that rely on those mathematical properties. A 1024 bit RSA key requires about as much computational effort as an 80-bit AES-like key. That's why the current recommendation is for at least 2048 bits (roughly the equivalent of 112 AES-like bits), though that's considered pushing it a bit. To get to the equivalent of a 128-bit AES key, you need a 3072-bit RSA key; to match AES-256, you need a 15360-bit RSA key! Such keys actually get used today. In 2005, if you combine published estimates, experts were predicting that 1024-bit RSA should be phased out by 2010 (though high-value uses should move faster). OK, so half way through that period, *one* 1024-bit RSA key was broken ... though in fact even that isn't true. (Breaking an RSA key amounts to factoring a large number into its two constituent primes. What the link points to was a successful factorization of a very specially chosen number - 2^1039-1 - for which even better mathematical techniques are known. Even so, it took the equivalent of 100 years of computer time. An indication that it was time to move on from 1024-bit keys? Absolutely. A practical "break" for massive numbers of RSA keys? Not quite.
An alternative to RSA is elliptic curve crypto (ECC), which has the same public-key properties but can use many more possible combinations of bits in a key, so can get by with dramatically shorter keys. In fact, to get the ECC equivalent of n-bit AES, you need 2n-bit ECC.
See "Second Circuit Strikes Down “Hot News” Injunction Against Flyonthewall — but Will the Misappropriation Tort Become More Invasive?" http://pubcit.typepad.com/clpblog/2011/06/second-circuit-strikes-down-hot-news-injunction-against-fl yonthewall-but-will-the-misappropriation-t.html for a note of caution about this ruling. Briefly, Paul Alan Levy is concerned that the ruling ignored First Amendment and other broad issues and narrowly focused on the detailed fact pattern. It explicitly did *not* strike down the Hot News doctrine. As a result, it may have little precedential value - and leaves Hot News like "fair use", something that no court has fully pinned down so that you never know for sure where the boundaries like.
It's certainly true that courts consider it a virtue to rule as narrowly as possible, and only answer questions actually asked by a particular case. But we also need broader principles to emerge so that people can have reasonable certainty of how new, but not completely novel, cases will be treated. If Levy is correct, we're going to have to see more Hot News cases decided before we really know where we stand.
Each WPA association in shared secret (PSK) mode uses a unique session key, which is computed using the shared secret (the password you enter), the MAC addresses of the two ends of the association, and two random numbers, once generated at each end. So if you enable WPA but with password "password" - or anything else - each individual device will actually use a different encryption key in conversations with the access point.
*If* someone is monitoring at the time the association is set up, they will get all the data needed to compute the actual session key. But if they weren't able to see the establishment of the association, they can't derive the key. So, unlike the case with non-encrypted connections, just being able to converse with the access point doesn't mean you can read all its traffic. In fact, you can only read your own.
Now, this is not a very robust kind of protection. One attack against an existing connection is to interfere with it in any of a variety of ways, forcing it to be re-established - at a time when you are presumably monitoring, Still, it's better than nothing - and it's sufficient to render connections opaque to Firesheep.
A convention some people are following is to give the network a name that tells you what password to use. Of course, you can (depending on the exact circumstances) simply tell people what the password is - or put up a sign with that information.
For all the effort and money, the Times's paywall doesn't even work right. My wife ran into it last weekend. She'd apparently reached her limit of 20 stories. We're actually long-time paper subscribers, so "just had to log in". Except it wouldn't work. She actually called the Times support line. They had us clear cookies, log out, and log back in again. That worked for one or two stories - at which point it kicked in again.
Fortunately, for Safari uses, there's a *built in workaround*: Just click the "Reader" button.
There are so many levels on which the Times just doesn't get it. They pissed off a very long time subscriber, wasted support costs (non-trivial, if you look at general industry costs) for *two* calls, the second of which was just a complaint that it didn't work - and ended up with another person who now knows how to get around their code when she needs to.
The Federal False Claims Act - allowing anyone to file a suit "on behalf of the Federal Government" against a Federal contractor for frauds against the government, and then share in any award - has been on the books since 1863 and has been used and upheld through this day. It was actually broadened in 1986 and 2009. So there's by no means an absolute bar to Congress's ability to allow private citizens to act when the government itself has failed to.
How that will play out in this case - exactly where a court will draw the lines on what Congress can and cannot delegate - I have no clue. But it's certainly not obvious that Congress can't allow anyone to help enforce the Patent Marking restrictions.
Judges are supposed to follow the law as written - whether they like it or not. (There are out's for them in some cases, but usually not.) The decision they rendered here was based on the language Congress handed them: The court relied on the “exceedingly broad language” of § 1030(e)(1) that “’[i]f a device is “an electronic … or other high speed data processing device performing logical, arithmetic, or storage functions,’ it is a computer.” The court also held that “there is nothing in the statutory definition that purports to exclude devices because they lack a connection to the Internet.”
Congress also wrote the law that, for the most part, takes away a judge's discretion in deciding on the sentence. One can make some arguments for this (it increases predictability, it helps ensure that rich white kids don't get shorter sentences for the same crime as poor black kids); one can make political arguments for it (people feel judges are too lenient and have chosen, through their elected representatives, to be tougher on criminals); and one can make very good arguments *against* it (basically, little in real life is cut and dried and trying to pin things down too much leads to miscarriages of justice). Nevertheless, this is the law we have on the books today.
I'd be the first to agree that it's absurd to enhance a sentence based on "use of a computer" when that "computer" is a cell phone. Hell, I'd even agree that enhanced sentencing for using a computer on the Internet is a bad idea. But I disagree that this is an indictment of the judges involved. It's an indictment of Congress, which passed bad laws.
The first part of fixing a problem is putting the blame in the right place.
Is it legitimate for Apple to do something like this? There's plenty of precedent. Apple views their store as ... like a store. Try going into a Walmart, setting up a booth, and selling books or CD's or whatever. You want to sell at Walmart? You use their system: You deliver stuff wholesale, they get it out to consumers. Start an auction on Ebay, then make side deals with people to sell stuff without Ebay getting its cut, and they'll close your account (and perhaps go after you if for what you owed) if they find out. A real estate agent gets paid even if you find a customer yourself. (I bought my first house based on a newspaper ad. The seller was pissed that he had to pay the broker, who had absolutely nothing to do with the sale, his 3% - but the contract with the broker required it and is quite enforceable.) In a way, Apple is being more open here than Walmart would be: It's as if Walmart said "sure, set up your booth - but you also have to let us sell your books/CD's at the same time."
Is it a good idea for Apple to do this? We'll see. Sony and Amazon and Barnes and Noble are certainly pissed about it, but realistically, if you're an Apple customer, this is unlikely to hurt you - and in fact it probably makes it more convenient for you. (The only way you as a consumer get hurt is if Sony and Amazon and B&N decide to drop their apps entirely. That seems unlikely - Apple didn't make this move until it was offering a market so large that they would find it difficult to walk away. But Amazon in particular is no pushover - they'll certainly bargain hard. We have certainly not heard the last word on how this will actually work.)
If you're going to split Verizon, you have to split AT&T along the same lines - classic DSL vs. U-Verse, with the slowest marketed U-Verse speed being twice the highest classic DLS speed.
But if you start down that path, why not start splitting cable providers into areas where they've built out DOCSIS 3.0 and areas where they haven't?
The fact is that no one (other than the carriers themselves) have data this fine-grained - and it's not even clear that they do. Oh, they know the theoretical speeds of their "last-mile" offering; but that's nowhere near the same thing as actual measured data. Fios, for all the theoretical speed of its fiber, could have crippled connections into and out of wherever all that fiber converges. Or there could be other things limiting them, perhaps even stuff they aren't aware of.
The Netflix data is valuable exactly because it's measured, not a guess. Networks are complex combinations of many different components, and you're kidding yourself if you think you can know the performance of any non-trivial network without measurement.
Sigh. So many remarks, so little understanding. And in this case, understanding is actually quite important.
The attack on Facebook *was* a man-in-the-middle-attack, not just keystroke logging. Like many sites - including stores and even banks - Facebook encrypted the password (and probably the username) that you sent. You'll see sites that do that show a little "why is this secure?" help box to assure you that, no, the page itself doesn't show a lock indicator (because it isn't https) but your credentials are perfectly safe because they are sent "using 128-bit encryption".
But they are not at all safe because you have no idea who you are actually talking to. It could be Facebook/the store/your bank; or it could be someone who mocked up a page that looks like Facebook's/your store's/your bank's, complete with a nice, encrypted username/password mechanism, sending your username/password right to them. The Tunisian attack was a slight variation in that they modified the real page on the fly to inject this attack, rather than making up a fake site - but the end result was the same.
If you're going to put your stuff in a safe-deposit box handed to you by a bank official - make sure you're really at a bank, and that it's a real bank official handing you the box! Relying on a "secure username/password" field on an unauthenticated page is like accepting an offer of a safety deposit box from some guy on the street outside the bank. Sure, the box is solid steel and the lock is high quality - but who else has the key?
If a site you deal with offers "security" by encrypting just the login information - complain to them. You'll almost certainly be unable to get a message to anyone who actually understands the issue - but if you follow up by closing your accounts, eventually they'll get a clue.
(untitled comment)
For an interesting example of how to respond to the new environment, have a look at the Northshire Bookstore (http://www.northshire.com/). Northshire is located in Manchester, Vermont - a fairly small community surrounded by smaller communities, many poor. But Manchester is a tourist hub - there's a ton of skiing in the area, and many resorts that get summer traffic as well. The town is a tourist shopping hub. Many years ago, it was filled with locally owned store; for the last ten years or so, the major chains have taken over with outlets. The outlets are fading a bit; we'll see what replaces them.
Northshire has been there through all the changes. The store expanded a couple of years ago, and is, in total footprint, comparable to a medium-sized B&N. But since it started life in what was probably once a hotel, and added rooms here and there, it doesn't *feel* huge - it feels like a bunch of rooms. And it specializes in providing an experience: Knowledgable, friendly staff; regular talks by authors; special displays by local writers; little notes on the shelves from bookstore employees describing their favorites; etc.
Northshire has had a book printing machine (I don't know who makes it) for a couple of years. They also started selling on-line a while back.
I have no connection with the store, other than as a long-time customer: We vacation nearby a couple of times a year, and as a family tradition always include a visit to Northshire on every trip. The store has been busy every time we've been in there. And we always leave with a large collection of new books. In fact, we used to have Borders near us at home. We realized that we almost never went there: Books we needed "quickly" came from Amazon; books that were the result of browsing came from Northshire. Borders just kind of faded from our lives (though we do miss knowing it's there).
I hope Northshire's external appearance of success don't conceal inner dry rot. It's been a tough couple of years for many of the Manchester vendors, and they haven't had to deal with the technological changes in the book business.
(untitled comment)
As far as I can see, not a single comment here so far is from a person in a position to judge whether targeting works. That's because "works" is measured by *the customer who bought the ads*, not by *the person receiving them*.
Advertising is a game of statistics. No matter what medium you use, most ads will be completely ignored by the vast majority of people who see them. That's a reality that businesses have had to accept for years - there's even an old joke to the effect that "Half my advertising money is wasted. If only I knew which half!" In fact, if you consider an ignored ad "wasted money", the fraction "wasted" is over 99%. The only way to judge whether advertising is actually effective is to compare profit - income minus expenses, where expenses includes ads - for different amounts of advertising. Not easy to do, but most businesses have concluded that "wasting" money on ads is actually a worthwhile investment.
Because the actual fraction of ads that pay off is so small, it takes only a tiny increase in the absolute number to make a big difference. Suppose you ran an ad that a million people saw, and it brought in 100 customers you wouldn't have otherwise bought your product. (In most situations, that would be an incredibly successful campaign.) Now suppose targeting doubles that to 200 new customers.
Initially, of the million people who saw the ads, 100 thought they were relevant, while 999,900 thought they were not. With targeting, 999,800 thought they were not. So if you ask those who received the ads whether they got relevant ads, you'll reach the conclusion that an absolutely overwhelming percentage did not. Obviously, targeting *doesn't work*.
And yet, doubling the number of customers the ad brings in is an impossibly high improvement. Advertisers would kill to get it. More to the point - they'd pay a great deal of money to whoever could deliver numbers like that. Obviously, targeting *does* work!
-- Jerry
(untitled comment)
Forbes picked up on this with two articles. One pretty much summarized what the Times said; the other looked into the question of what limits there were on Target should they decide to sell this data. Their conclusion: At present, pretty much none. That data is Target's to do with as they like. Were they to have a privacy policy, they would be bound by it - but they've never published one.
One person they spoke to is certain that this will soon change - that within 5 years, there might be limits on what data Target can collect, and there will certainly be limits on what they can sell. I pretty sure that's true.
By the way, it's important to keep in mind that Target - and every other company that does targeted advertising - always emphasizes that the positive value to the customer in delivering ads that describe products they might actually need. But that's of course not why the companies are doing this. The point is to sell more products. In fact, it's pointed out in these articles that the reason Target is so interested in discovering pregnant women and marketing to them is that it's long been known that young families tend to "bond" to certain brands (and likely places to buy them). Get them early and they'll keep coming back. Those early special discounts will be repaid many times over by full-price purchases.
Is there something wrong with this? Probably not, but just as there's a line where "clever" becomes "creepy", there's a line where "attractive" becomes "manipulative". It's never clear where the line is until after you've crossed it.
Many years ago, the group I worked for at a large company moved to a brand new facility. There was a committee that helped in designing various amenities, like the cafeteria. One decision was on the color. A consultant on the matter recommended (I think) yellow, because studies had shown that people bought more food in a yellow cafeteria. OK … but who is going with yellow good for? It's certainly good for the company running the cafeteria; but for everyone else working there, probably not. Whenever you see clever ideas like data mining to find pregnant women … ask yourself: Cui bono? Who benefits?
-- Jerry
Cause and Effect?
"We spent millions to put in that new safety system, and it's been totally wasted - we haven't had an accident in two years!"
It's very nice to say that "the free market" eliminated Microsoft IE's near-monopoly on browsers - but it's a misreading of history. No real "free market" existed, either before or after the change.
*Before* the change, Microsoft made a number of monopolistic moves. Windows represented virtually the entire PC market, and was impossible to attack: The deal offered to hardware vendors by Microsoft was "If you want a reasonable price for Windows, you have to agree to pay *per unit shipped*, whether a unit has Windows on it or not." Windows itself had IE6 embedded. You could, if you were technically adept, install another browser - but IE6 had to stay, because various other pieces of Windows (deliberately) relied on it.
*After* the change, Microsoft was under government scrutiny and regulation. They were forced to modify Windows to yank out dependencies on IE. More important, they were forced to offer users a choice of browsers during installation. There was no user demand for any of this, because the majority of users never even knew there was an issue.
If you look at things strictly from the point of government regulation, the market was "free" before the anti-trusts moves, and what Microsoft did was simply sharp-elbowed competition. That's a principled position, if one not shared by most people. You can argue, purely on market theory grounds, that Microsoft's moves were, in the long run, going to leave an opening for competitors to take the market from them. What you *can't* argue is that IE6's decline *proves* that pure market competition would have been sufficient - because it wasn't pure market competition that did the trick.
-- Jerry
Re: Re: Re:
A meaningless comparison. Key length is one of those obvious things - after all, it's just a number and bigger is clearly better, right? - that leads people astray all the time. The thing to keep in mind is that what matters is not the *number of bits in the key*, it's the number of possible distinct keys. If I told you "I use AES-256 for absolute security, but it's easy for me to remember the key: I only choose keys between 1 and 1000" - well, that's obviously not very secure: You can guess my key in at most 1000 tries!
For a system like AES, every possible 128 (or 192 or 256) bit combination is a valid key. The strength of the system (against a brute force attack!) can be read directly off the number of bits. No conceivable computer will ever be able to attack a 256-bit key, and personally I cannot imagine a situation where a 128-bit key could be brute-forced.
For a system like RSA, only very special combinations of bits correspond to valid keys. An AES key is just a bunch of bits, while an RSA key, as a number, has to be product of exactly two prime numbers in a particular range, with special properties to boot. Even then, there would be too many values to try in a pure brute force fashion- but because of the necessary mathematical properties of an RSA key, no one does that. Instead, they use more efficient techniques that rely on those mathematical properties. A 1024 bit RSA key requires about as much computational effort as an 80-bit AES-like key. That's why the current recommendation is for at least 2048 bits (roughly the equivalent of 112 AES-like bits), though that's considered pushing it a bit. To get to the equivalent of a 128-bit AES key, you need a 3072-bit RSA key; to match AES-256, you need a 15360-bit RSA key! Such keys actually get used today. In 2005, if you combine published estimates, experts were predicting that 1024-bit RSA should be phased out by 2010 (though high-value uses should move faster). OK, so half way through that period, *one* 1024-bit RSA key was broken ... though in fact even that isn't true. (Breaking an RSA key amounts to factoring a large number into its two constituent primes. What the link points to was a successful factorization of a very specially chosen number - 2^1039-1 - for which even better mathematical techniques are known. Even so, it took the equivalent of 100 years of computer time. An indication that it was time to move on from 1024-bit keys? Absolutely. A practical "break" for massive numbers of RSA keys? Not quite.
An alternative to RSA is elliptic curve crypto (ECC), which has the same public-key properties but can use many more possible combinations of bits in a key, so can get by with dramatically shorter keys. In fact, to get the ECC equivalent of n-bit AES, you need 2n-bit ECC.
-- Jerry
A note of caution
See "Second Circuit Strikes Down “Hot News” Injunction Against Flyonthewall — but Will the Misappropriation Tort Become More Invasive?" http://pubcit.typepad.com/clpblog/2011/06/second-circuit-strikes-down-hot-news-injunction-against-fl yonthewall-but-will-the-misappropriation-t.html for a note of caution about this ruling. Briefly, Paul Alan Levy is concerned that the ruling ignored First Amendment and other broad issues and narrowly focused on the detailed fact pattern. It explicitly did *not* strike down the Hot News doctrine. As a result, it may have little precedential value - and leaves Hot News like "fair use", something that no court has fully pinned down so that you never know for sure where the boundaries like.
It's certainly true that courts consider it a virtue to rule as narrowly as possible, and only answer questions actually asked by a particular case. But we also need broader principles to emerge so that people can have reasonable certainty of how new, but not completely novel, cases will be treated. If Levy is correct, we're going to have to see more Hot News cases decided before we really know where we stand.
-- Jerry
(untitled comment)
Each WPA association in shared secret (PSK) mode uses a unique session key, which is computed using the shared secret (the password you enter), the MAC addresses of the two ends of the association, and two random numbers, once generated at each end. So if you enable WPA but with password "password" - or anything else - each individual device will actually use a different encryption key in conversations with the access point.
*If* someone is monitoring at the time the association is set up, they will get all the data needed to compute the actual session key. But if they weren't able to see the establishment of the association, they can't derive the key. So, unlike the case with non-encrypted connections, just being able to converse with the access point doesn't mean you can read all its traffic. In fact, you can only read your own.
Now, this is not a very robust kind of protection. One attack against an existing connection is to interfere with it in any of a variety of ways, forcing it to be re-established - at a time when you are presumably monitoring, Still, it's better than nothing - and it's sufficient to render connections opaque to Firesheep.
A convention some people are following is to give the network a name that tells you what password to use. Of course, you can (depending on the exact circumstances) simply tell people what the password is - or put up a sign with that information.
-- Jerry
...and it doesn't even work reliably
For all the effort and money, the Times's paywall doesn't even work right. My wife ran into it last weekend. She'd apparently reached her limit of 20 stories. We're actually long-time paper subscribers, so "just had to log in". Except it wouldn't work. She actually called the Times support line. They had us clear cookies, log out, and log back in again. That worked for one or two stories - at which point it kicked in again.
Fortunately, for Safari uses, there's a *built in workaround*: Just click the "Reader" button.
There are so many levels on which the Times just doesn't get it. They pissed off a very long time subscriber, wasted support costs (non-trivial, if you look at general industry costs) for *two* calls, the second of which was just a complaint that it didn't work - and ended up with another person who now knows how to get around their code when she needs to.
-- Jerry
Federal False Claims Act?
The Federal False Claims Act - allowing anyone to file a suit "on behalf of the Federal Government" against a Federal contractor for frauds against the government, and then share in any award - has been on the books since 1863 and has been used and upheld through this day. It was actually broadened in 1986 and 2009. So there's by no means an absolute bar to Congress's ability to allow private citizens to act when the government itself has failed to.
How that will play out in this case - exactly where a court will draw the lines on what Congress can and cannot delegate - I have no clue. But it's certainly not obvious that Congress can't allow anyone to help enforce the Patent Marking restrictions.
-- Jerry
Why let the facts get in the way of a good complaint?
Judges are supposed to follow the law as written - whether they like it or not. (There are out's for them in some cases, but usually not.) The decision they rendered here was based on the language Congress handed them: The court relied on the “exceedingly broad language” of § 1030(e)(1) that “’[i]f a device is “an electronic … or other high speed data processing device performing logical, arithmetic, or storage functions,’ it is a computer.” The court also held that “there is nothing in the statutory definition that purports to exclude devices because they lack a connection to the Internet.”
Congress also wrote the law that, for the most part, takes away a judge's discretion in deciding on the sentence. One can make some arguments for this (it increases predictability, it helps ensure that rich white kids don't get shorter sentences for the same crime as poor black kids); one can make political arguments for it (people feel judges are too lenient and have chosen, through their elected representatives, to be tougher on criminals); and one can make very good arguments *against* it (basically, little in real life is cut and dried and trying to pin things down too much leads to miscarriages of justice). Nevertheless, this is the law we have on the books today.
I'd be the first to agree that it's absurd to enhance a sentence based on "use of a computer" when that "computer" is a cell phone. Hell, I'd even agree that enhanced sentencing for using a computer on the Internet is a bad idea. But I disagree that this is an indictment of the judges involved. It's an indictment of Congress, which passed bad laws.
The first part of fixing a problem is putting the blame in the right place.
-- Jerry
(untitled comment)
Is it legitimate for Apple to do something like this? There's plenty of precedent. Apple views their store as ... like a store. Try going into a Walmart, setting up a booth, and selling books or CD's or whatever. You want to sell at Walmart? You use their system: You deliver stuff wholesale, they get it out to consumers. Start an auction on Ebay, then make side deals with people to sell stuff without Ebay getting its cut, and they'll close your account (and perhaps go after you if for what you owed) if they find out. A real estate agent gets paid even if you find a customer yourself. (I bought my first house based on a newspaper ad. The seller was pissed that he had to pay the broker, who had absolutely nothing to do with the sale, his 3% - but the contract with the broker required it and is quite enforceable.) In a way, Apple is being more open here than Walmart would be: It's as if Walmart said "sure, set up your booth - but you also have to let us sell your books/CD's at the same time."
Is it a good idea for Apple to do this? We'll see. Sony and Amazon and Barnes and Noble are certainly pissed about it, but realistically, if you're an Apple customer, this is unlikely to hurt you - and in fact it probably makes it more convenient for you. (The only way you as a consumer get hurt is if Sony and Amazon and B&N decide to drop their apps entirely. That seems unlikely - Apple didn't make this move until it was offering a market so large that they would find it difficult to walk away. But Amazon in particular is no pushover - they'll certainly bargain hard. We have certainly not heard the last word on how this will actually work.)
-- Jerry
Re: No Way
If you're going to split Verizon, you have to split AT&T along the same lines - classic DSL vs. U-Verse, with the slowest marketed U-Verse speed being twice the highest classic DLS speed.
But if you start down that path, why not start splitting cable providers into areas where they've built out DOCSIS 3.0 and areas where they haven't?
The fact is that no one (other than the carriers themselves) have data this fine-grained - and it's not even clear that they do. Oh, they know the theoretical speeds of their "last-mile" offering; but that's nowhere near the same thing as actual measured data. Fios, for all the theoretical speed of its fiber, could have crippled connections into and out of wherever all that fiber converges. Or there could be other things limiting them, perhaps even stuff they aren't aware of.
The Netflix data is valuable exactly because it's measured, not a guess. Networks are complex combinations of many different components, and you're kidding yourself if you think you can know the performance of any non-trivial network without measurement.
-- Jerry
(untitled comment)
Sigh. So many remarks, so little understanding. And in this case, understanding is actually quite important.
The attack on Facebook *was* a man-in-the-middle-attack, not just keystroke logging. Like many sites - including stores and even banks - Facebook encrypted the password (and probably the username) that you sent. You'll see sites that do that show a little "why is this secure?" help box to assure you that, no, the page itself doesn't show a lock indicator (because it isn't https) but your credentials are perfectly safe because they are sent "using 128-bit encryption".
But they are not at all safe because you have no idea who you are actually talking to. It could be Facebook/the store/your bank; or it could be someone who mocked up a page that looks like Facebook's/your store's/your bank's, complete with a nice, encrypted username/password mechanism, sending your username/password right to them. The Tunisian attack was a slight variation in that they modified the real page on the fly to inject this attack, rather than making up a fake site - but the end result was the same.
If you're going to put your stuff in a safe-deposit box handed to you by a bank official - make sure you're really at a bank, and that it's a real bank official handing you the box! Relying on a "secure username/password" field on an unauthenticated page is like accepting an offer of a safety deposit box from some guy on the street outside the bank. Sure, the box is solid steel and the lock is high quality - but who else has the key?
If a site you deal with offers "security" by encrypting just the login information - complain to them. You'll almost certainly be unable to get a message to anyone who actually understands the issue - but if you follow up by closing your accounts, eventually they'll get a clue.
-- Jerry