by Mike Masnick
Tue, Oct 21st 2014 8:09am
by Mike Masnick
Thu, Oct 9th 2014 9:34am
from the moral,-economic-and-patriotic dept
The execs repeated the same basic points over and over again. They had been absolutely willing to work with law enforcement when and where appropriate based on actual court orders and review -- but that the government itself completely poisoned the well with its activities, including hacking into the transmission lines between overseas datacenters. Thus, as Eric Schmidt noted, if the NSA and other law enforcement folks are "upset" about Google and others suddenly ramping up their use of encryption and being less willing to cooperate with the government, they only have themselves to blame for completely obliterating any sense of trust.
Microsoft's Brad Smith, towards the end, made quite an impassioned plea -- it sounded more like a politician's stump speech -- about the need for rebuilding trust in the internet. It's at about an hour and 3 minutes into the video. He points out that while people had expected Congress to pass the USA Freedom Act, the rise of ISIS and other claimed threats has some people scared, but, he notes:
We need to look the world's dangers in the face. And we need to resolve that we will not allow the dangers of the world to freeze this country in its tracks. We need to recognize that antiquated laws will not keep the public safe. We need to recognize that laws that the rest of the world does not respect will ultimately undermine the fundamental ability of our own legal processes, law enforcement agencies and even the intelligence community itself. At the end of the day, we need to recognize... the one asset that the US has which is even stronger than our military might is our moral authority. And this decline in trust, has not only effected people's trust in American technology products. It has effected people's willingness to trust the leadership of the United States. If we are going to win the war on terror. If we are going to keep the public safe. If we are going to improve American competitiveness, we need Congress to stay on the path it's set. We need Congress to finish in December the job the President put before Congress in January.It was a good talk, and it basically was a chance for all these tech execs to express similar concerns and to do so loudly. It's perfectly reasonable to suggest that the tech industry was complacent on these issues in the past, that they were too trusting (often way too trusting) of the government, that they should have started from a position of distrust and should have encrypted everything possible from the get go. Frankly, those are very legitimate criticisms. But, it's pretty clear that these tech companies are now pissed off at the government and the fact that it undermined everything, including their own businesses around the globe -- and they're determined to win back the trust of the public, whether or not the government is willing to cooperate. I find that encouraging, though I'd still like to see pretty much all of the companies do even more on the encryption front.
As I said, there wasn't anything earth shattering, but it's clear that these companies have all seen the impact from the government's overbroad surveillance efforts, and they're not just concerned about it from their direct bottom line, but what it means for the overall internet. Multiple execs talked about not just moral authority, as Smith mentioned, but the moral imperative to use the internet to create greater connectivity and raise the ability of people around the globe -- and how much more difficult the NSA had made things.
I know that some cynical folks will claim this is all for show. But there is a real concern that comes across here about just how devastating the NSA's actions have been (and continue to be). Schmidt was absolutely right that if law enforcement and the intelligence community is upset about it, they only have themselves to blame.
by Mike Masnick
Tue, Sep 30th 2014 2:21pm
Analysis Suggests More Than Half Of Google & Microsoft's Patents Likely Invalid Thanks To The Supreme Court
from the good-news dept
A new analytical study of patents held by big tech companies, done by ktMINE, suggests that more than half of Google and Microsoft's patents are invalid under Alice. The biggest loser of all, however, may be Oracle, with an astounding 76% of all of its patents vulnerable to the ruling. Twenty five companies are listed -- and there are some interesting ones. Rockstar -- which is a patent troll "privateer" set up by Microsoft and Apple has 31% of patents at risk. Intellectual Ventures has 24% of its patents at risk (I would have expected more). IBM -- which has a tremendous patent portfolio -- has 49% at risk.
The article suggests that this may have a major impact as these companies lose "vitally important strategic assets," but that's generally almost entirely bogus. Other than for the trolls, where these patents are their only "asset" (if you can call them that), for operating companies, patents have always been much more of a hindrance than a benefit. Many of the companies in the list have a huge patent portfolio mainly for defensive, rather than offensive reasons, and the patents have little to do with day to day operations. They have almost no impact on how the company is actually innovating or growing. In fact, as we've seen, patents are generally only useful for companies that are on the downswing, as they lash out at innovators who are on the upswing. If there were a real concern here, it's likely that we would have seen it in the stock prices of these tech companies -- but most of the companies on the list shrugged off the decision (or are even happy about it) because they can just focus on innovating, rather than bogus, wasteful lawsuits.
In fact, it might make for an interesting study to look at the impact of the Alice decision on the stock prices of these companies, and note how little the patent portfolios they hold are really worth, given the likelihood that so many are invalid.
by Mike Masnick
Mon, Sep 8th 2014 3:48pm
Marketing Failure: Microsoft Pays NFL To Use Its Surface Tablets -- And People Still Call Them 'iPad-Like Tools'
from the didn't-get-the-memo dept
by Mike Masnick
Tue, Sep 2nd 2014 5:54am
from the that's-not-how-this-works dept
The Government's interpretation ignores the profound and well established differences between a warrant and a subpoena. A warrant gives the Government the power to seize evidence without notice or affording an opportunity to challenge the seizure in advance. But it requires a specific description (supported by probable cause) of the thing to be seized and the place to be searched and that place must be in the United States. A subpoena duces tecum, on the other hand, does not authorize a search and seizure of the private communications of a third party. Rather. it gives the Government the power to require a person to collect items within her possession, custody, or control, regardless of location, and bring them to court at an appointed time. It also affords the recipient an opportunity to move in advance to quash. Here, the Government wants to exploit the power of a warrant and the sweeping geographic scope of a subpoena, without having to comply with fundamental protections provided by either. There is not a shred of support in the statute or its legislative history for the proposition that Congress intended to allow the Government to mix and match like this. In fact, Congress recognized the basic distinction between a warrant and a subpoena in ECPA when it authorized the Government to obtain certain types of data with a subpoena or a "court order," but required a warrant to obtain a person's most sensitive and constitutionally protected information -- the contents of emails less than 6 months old.Unfortunately, as we noted at the end of July, the judge in the case, Loretta Preska, sided with the DOJ.
On Friday, Judge Preska did what was basically a procedural move. When she had made the original ruling, she had put a stay on the ruling, fully expecting Microsoft to appeal. This is fairly standard procedure. When a district court judge knows a ruling is likely to be appealed the judge will frequently "stay" the ruling pending the appeal. The DOJ claimed that this was a procedural error and that the particular order, for a whole host of boring legal reasons, is not an "appealable order" and that the stay is inappropriate for that reason. Everyone involved in the case -- the Judge, Microsoft and the DOJ -- knows that it's going to go to an appeal. There's just a very, very minor debate over the correct legal process to get it to appeal. Judge Preska agreed that the original order probably is not appealable, and thus the stay order makes no sense, since it was only pending the appeal. Thus, to speed things along, she lifted the stay, noting quite clearly that this was to help along the appeal process:
Both parties share the common goal of permitting the Court of Appeals to hear this case as soon as possible. Their disagreement concerns the correct path to that goal. In order words, the parties agree on the destination but the route to get there is the subject of hot dispute.Basically, this was a very minor move to push things onto the proper legal track to get this case before the appeals court. Because the original order isn't technically appealable, the stay didn't make any sense, so the Judge removed it, with everyone knowing that Microsoft won't hand over the info, leading the Judge to issue a different ruling that can be appealed. I saw the news on Friday and realized it wasn't worth writing about, because it's basically nothing.
However, a few sites appear to have totally misread this into being a big deal. If you don't read carefully, seeing that a judge lifted a stay suggests that Microsoft is being forced to hand over the info. But anyone who actually read any of the details (including the decision and/or the Reuters report that broke the news) should have known that wasn't actually the case. Microsoft then said the most obvious thing in the world: that it wasn't handing over the info, because it hasn't done that all along and this is what it needs to do to get the case to appeal. But a bunch of sites misread the whole thing as if Microsoft was somehow taking a new stand, rather than just procedurally moving things forward. A site called WindowsITPro wrote up that Microsoft was now "defying" a court order and this somehow proved it was a heroic company, fighting for its customers:
Despite a federal court order directing Microsoft to turn overseas-held email data to federal authorities, the software giant said Friday it will continue to withhold that information as it waits for the case to wind through the appeals process. The judge has now ordered both Microsoft and federal prosecutors to advise her how to proceed by next Friday, September 5.They did this, even though in the very next paragraph the Microsoft statement itself points out that this is nothing more than a procedural issue. Unfortunately, sites like Slashdot also picked up on the WindowsITPro story and repeated the misleading headline.
Let there be no doubt that Microsoft's actions in this controversial case are customer-centric. The firm isn't just standing up to the US government on moral principles. It's now defying a federal court order.
Yes, Microsoft is trying to protect its customers' email data (held in Ireland) in this case. And yes, it's an important case. But Microsoft (and a variety of other tech companies that filed amicus briefs in support of Microsoft's position) took that stand months ago. What happened on Friday was a minor procedural effort to move the case along, and didn't represent any big new "heroic" move by Microsoft to "defy" a court order. Nothing to see here, move on. The appeals court is where this case will actually get interesting.
by Mike Masnick
Mon, Aug 18th 2014 12:18pm
Ridiculous Patent Troll Gets Stomped By CAFC, Just Months After Being Awarded A Huge Chunk Of Google's Ad Revenue
from the couldn't-have-happened-to-a-nicer-bunch dept
While the original ruling against Google in 2012 had the jury reject Vringo's request for nearly $700 million, and giving it "just" $30 million, in February of this year, a judge magically decided that 1.36% of all of Google's AdWords revenue (which is most of its revenue) belonged to Vringo.
Between February and now, however, something wonderful happened. That something wonderful was the Supreme Court's ruling in CLS Bank v. Alice. As we noted at the time, depending on how you read it, it certainly could be interpreted that nearly all software patents were invalid -- even as the ruling itself insisted that wasn't the case. Still, the early returns are promising, with CAFC (apparently finally getting the message) starting to smack down software patents.
So with the Vringo patents before CAFC, it appears they got the Alice treatment, with CAFC tossing them out as totally invalid for patenting a basic concept. The ruling focuses on how the ideas were obvious to those skilled in the art based on (a rather large amount of) prior art:
As the asserted patents themselves acknowledge, however, search engines, content-based filtering, and collaborative filtering were all well-known in the art at the time of the claimed invention.... The record is replete, moreover, with prior art references recognizing that content-based and collaborative filtering are complimentary techniques that can be effectively combined. The WebHound reference explains that “content-based and automated collaborative filtering are complementary techniques, and the combination of [automated collaborative filtering] with some easily extractable features of documents is a powerful information filtering technique for complex information spaces." ... The Fab reference likewise notes that “[o]nline readers are in need of tools to help them cope with the mass of content available on the World-Wide Web,” and explains that “[b]y combining both collaborative and content-based filtering systems,” many of the weaknesses in each approach can be eliminated.... Similarly, the Rose patent, which was filed in 1994 by engineers at Apple Computer, Inc., states that “[t]he prediction of relevance [to a user’s interests] is carried out by combining data pertaining to the content of each item of information with other data regarding correlations of interest between users."The ruling laughs off Vringo's claims that its patents took things a step further by combining two ideas, pointing out that this was quite obvious at the time.
But the concurring opinion by Judge Mayer calls out the Alice ruling and the fact that this stuff isn't patentable in the first place:
Because the claims asserted by I/P Engine, Inc. (“I/P Engine”) disclose no new technology, but instead simply recite the use of a generic computer to implement a well-known and widely-practiced technique for organizing information, they fall outside the ambit of 35 U.S.C. § 101...That last line is a fun one.
I/P Engine’s claimed system is merely an Internet iteration of the basic concept of combining content and collaborative data, relying for implementation on “a generic computer to perform generic computer functions.” ...
Moreover, the scope of the claimed invention is staggering, potentially covering a significant portion of all online advertising. I/P Engine’s asserted claims fall outside section 101 because their broad and sweeping reach is vastly disproportionate to their minimal technological disclosure.
Either way, it looks like the writing may be on the wall for software patent trolls. Vringo's stock collapsed after the ruling and some other public patent trolls also saw their stock drop. Couldn't happen to a more deserving group of leeches on innovation.
by Tim Cushing
Fri, Aug 1st 2014 3:33am
French Company That Sells Exploits To The NSA Sat On An Internet Explorer Vulnerability For Three Years
from the kicking-open-backdoors-and-charging-admission dept
Thanks to Snowden's leaks and a host of other information proceeding those, it's become clear that intelligence agencies -- despite their constant and loud "worrying" about cyberattacks -- are more than happy to make computers and the Internet itself less safe by purchasing, discovering and hoarding vulnerabilities. These are exploited to their fullest before being reported to the entities that can patch the holes. In the meantime, the NSA and others make use of security holes and vulnerabilities, leaving millions of members of the public exposed.
It may just be arrogance. Maybe these intelligence agencies believe they're the only ones with this access and, because they're ostensibly the "good guys," any collateral damage caused by unpatched vulnerabilities is acceptable. The other option is worse: they just don't care. Their "higher calling" -- the fight against terrorists and hackers -- is more important than the security of computer users around the world.
VUPEN, a French company that sells exploits to the NSA (as well as intelligence and law enforcement agencies around the world) recently capitalized on an Internet Explorer vulnerability it's been sitting on for over three years.
Security outlet VUPEN has revealed it held onto a critical Internet Explorer vulnerability for three years before disclosing it at the March Pwn2Own hacker competition.For three years, VUPEN held onto this, allowing the exploit of four straight Internet Explorer versions. IE may be losing its grasp on home users, but governments around the world still tend to opt for Microsoft's browser (along with its suite of productivity products). VUPEN finally notified Microsoft of this vulnerability en route to collecting $300,000 for this and other exploits its been hoarding. (Additional products affected include other widely-used programs like Adobe Flash and Adobe Reader.)
The company wrote in a disclosure last week it discovered the vulnerability (CVE-2014-2777) on 12 February 2011 which was patched by Microsoft on 17 June (MS14-035).
The flaw affected Internet Explorer browsers eight through eleven and allowed remote attackers to bypass the protected mode sandbox.
There can be little doubt that VUPEN turned out these vulnerabilities to whatever intelligence/law enforcement agency would have them during the last three years. Informing Microsoft of this flaw at the point of discovery just isn't a great way to make money. IE users were left unprotected against anyone who wished to exploit the same hole the security contractor had slapped a price tag on.
VUPEN's spin on this bug hoard/$300,000 windfall conveniently leaves out the fact that it sat on these exploits for extended periods of time.
In March 2014, VUPEN has once again won the 1st place at the Pwn2Own 2014 security competition by creating and showing zero-day exploits for Google Chrome, Internet Explorer 11, Adobe Reader XI, Adobe Flash, and Mozilla Firefox. The exploits have fully bypassed all Windows 8.1 security protections and exploit mitigation in place, and all sandboxes. VUPEN has reported all the discovered zero-day vulnerabilities to the affected vendors to allow them fix the flaws and protect users from attacks.The word "creating" implies it discovered these holes during the conference and immediately turned them over to the vendors. While it's true that the vendors can now "fix the flaws," the latter half of that sentence ("protect users from attacks") is only true going forward. There's no telling how many attacks occurred over the past months and years while VUPEN hawked its vulnerability stash.
But that's not even the most disingenuous part of VUPEN's pitches. This is:
If you can't read the text, it says:
Do not wait 6 to 9 months for vendor patches to protect your infrastructures and assets from critical vulnerabilities.So, VUPEN will "protect" your private company from exploits it knows about but won't pass on to vendors until it's managed to sell enough protection plans. Your company wouldn't need to "wait 6 to 9 months" for vendors to patch products if VUPEN and others would turn these over to them sooner. But that's not part of the business plan. There's nothing wrong with a company trying to make money, but hoarding exploits and selling protection against them seems to run very close to extortion. It's like selling home security while running a gang of thieves on the side.
by Mike Masnick
Thu, Jul 31st 2014 3:28pm
Court Says Who Cares If Ireland Is Another Country, Of Course DOJ Can Use A Warrant To Demand Microsoft Cough Up Your Emails
from the say-what-now? dept
Microsoft fought back, noting that the distinction between a warrant and a subpoena is a rather important one. And you can't just say "hey, sure that's a warrant, but we'll pretend it's a subpoena." As Microsoft noted:
This interpretation not only blatantly rewrites the statute, it reads out of the Fourth Amendment the bedrock requirement that the Government must specify the place to be searched with particularity, effectively amending the Constitution for searches of communications held digitally. It would also authorize the Government (including state and local governments) to violate the territorial integrity of sovereign nations and circumvent the commitments made by the United States in mutual legal assistance treaties expressly designed to facilitate cross-border criminal investigations. If this is what Congress intended, it would have made its intent clear in the statute. But the language and the logic of the statute, as well as its legislative history, show that Congress used the word "warrant" in ECPA to mean "warrant," and not some super-powerful "hybrid subpoena." And Congress used the term "warrant" expecting that the Government would be bound by all the inherent limitations of warrants, including the limitation that warrants may not be issued to obtain evidence located in the territory of another sovereign nation.The DOJ hit back earlier this month by basically saying, "yeah, whatever, let's pretend it's a subpoena and give us what we want already."
The Government's interpretation ignores the profound and well established differences between a warrant and a subpoena. A warrant gives the Government the power to seize evidence without notice or affording an opportunity to challenge the seizure in advance. But it requires a specific description (supported by probable cause) of the thing to be seized and the place to be searched and that place must be in the United States. A subpoena duces tecum, on the other hand, does not authorize a search and seizure of the private communications of a third party. Rather. it gives the Government the power to require a person to collect items within her possession, custody, or control, regardless of location, and bring them to court at an appointed time. It also affords the recipient an opportunity to move in advance to quash. Here, the Government wants to exploit the power of a warrant and the sweeping geographic scope of a subpoena, without having to comply with fundamental protections provided by either. There is not a shred of support in the statute or its legislative history for the proposition that Congress intended to allow the Government to mix and match like this. In fact, Congress recognized the basic distinction between a warrant and a subpoena in ECPA when it authorized the Government to obtain certain types of data with a subpoena or a "court order," but required a warrant to obtain a person's most sensitive and constitutionally protected information -- the contents of emails less than 6 months old.
Overseas records must be disclosed domestically when a valid subpoena, order, or warrant compels their production. The disclosure of records under such circumstances has never been considered tantamount to a physical search under Fourth Amendment principles, and Microsoft is mistaken to argue that the SCA provides for an overseas search here. As there is no overseas search or seizure, Microsoft’s reliance on principles of extra-territoriality and comity falls wide of the mark.Unfortunately, it appears that the judge just went with the DOJ's reasoning -- though, immediately stayed the ruling since Microsoft made it clear it plans to appeal. Judge Loretta Preska basically just upheld the magistrate judge's ruling that Microsoft could, in fact, be compelled to hand over data held overseas via a warrant under ECPA, the Electronic Communications and Privacy Act (which we've already noted has tremendous problems and needs to be reformed).
Beyond the problems this has for the 4th Amendment in the US, it's also going to create a mess in Europe, where they have much stricter data privacy rules, and where something like ECPA is clearly a problem. For the US to argue that it can make ECPA reach across the ocean into European servers is going to be a big problem -- especially at a time when Europeans are (rightfully) distrustful of the US government's ability to snoop on their data.
by Mike Masnick
Fri, Jul 25th 2014 12:12pm
EU Regulators Want Google To Expand Right To Be Forgotten Worldwide And To Stop Telling What Links Have Been Forgotten
from the worldwide-censorship dept
Either way, once Google started removing the requested stories, it did the right thing, alerting the websites that links were being removed. Of course, that just resulted in many of those publications writing about it, and bringing the original news back into the public eye.
In response to all of this, European regulators are apparently quite angry again, summoning representatives from Google, Yahoo and Microsoft (but mainly Google) to argue that the removals should be global, not just for Europe and that the companies should stop informing websites if their stories were removed. One hopes that these three companies would fight strongly against either such proposal. The idea that Europe can dictate how search engines in other parts of the world work is dangerous. We've already noted that a Canadian court seems to think it has similar powers, and that's going to create a huge mess. Any time courts and regulators in one country think they can dictate how websites work in other countries, that is creating a massive jurisdictional mess (where contradictory rulings may run into each other), as well as allowing oppressive states to claim they, too, have the right to dictate how the web works in more open countries.
As for blocking sites from being informed, that would clearly go against basic transparency principles, and lead to yet another huge mess for websites which will (quite reasonably) wonder why their stories have gone totally missing from Google searches (especially if forced to extend it around the globe).
Of course, the real problem here is with the original ruling. The idea that public information that is widely disseminated already can magically be made private because someone thinks it's embarrassing and that it's no longer important is simply a ridiculous assertion in the first place. All of the problems that have come in implementing this are because the initial premise -- trying to disappear public information -- is so messed up.
by Mike Masnick
Wed, Jul 16th 2014 3:29pm
DOJ Tells Court That Of Course It Can Go On A Fishing Expedition Globally For Emails Microsoft Stores Overseas
from the because-we're-the-us-gov't-dammit dept
This interpretation not only blatantly rewrites the statute, it reads out of the Fourth Amendment the bedrock requirement that the Government must specify the place to be searched with particularity, effectively amending the Constitution for searches of communications held digitally. It would also authorize the Government (including state and local governments) to violate the territorial integrity of sovereign nations and circumvent the commitments made by the United States in mutual legal assistance treaties expressly designed to facilitate cross-border criminal investigations. If this is what Congress intended, it would have made its intent clear in the statute. But the language and the logic of the statute, as well as its legislative history, show that Congress used the word "warrant" in ECPA to mean "warrant," and not some super-powerful "hybrid subpoena." And Congress used the term "warrant" expecting that the Government would be bound by all the inherent limitations of warrants, including the limitation that warrants may not be issued to obtain evidence located in the territory of another sovereign nation.The DOJ has responded to Microsoft's filing and basically says yeah, whatever, we can take whatever we want, and if it's overseas, who cares?
Overseas records must be disclosed domestically when a valid subpoena, order, or warrant compels their production. The disclosure of records under such circumstances has never been considered tantamount to a physical search under Fourth Amendment principles, and Microsoft is mistaken to argue that the SCA provides for an overseas search here. As there is no overseas search or seizure, Microsoft’s reliance on principles of extra-territoriality and comity falls wide of the mark.A bunch of tech and telco companies have all jumped into the case on Microsoft's side as well, noting that the DOJ's argument would almost certainly violate data privacy laws in other countries, not to mention piss off governments around the globe. The crux of the argument, as per usual with the DOJ, is that when it wants data, it will twist and twist and twist the laws to enable it to get access to as much data as possible, with as little scrutiny as possible. This is just one of many reasons why we need serious ECPA reform -- such that it actually respects the 4th Amendment. But, in this case, it would be nice to have a judge realize that even under such an outdated law, the DOJ's interpretation is simply out of line.