from the imitation-is-more-than-just-flattery dept
We're back again with another in our weekly reading list posts of books we think our community will find interesting and thought provoking. Once again, buying the book via the Amazon links in this story also helps support Techdirt.
This week, we've got the wonderful book The Knockoff Economy: How Imitation Sparks Innovation by law professors Kal Raustiala and Chris Sprigman. We have written about the book before and have even hosted some excerpts from the book, but it's a really great and important read. We mentioned it earlier this week in our story about the attempts to lock up pot with intellectual property protections -- because that story reflected much of what's in the Knockoff Economy.
The key point of the book is to highlight that the very premise behind many calls for intellectual property protection doesn't stand up to much scrutiny. Defenders of the system usually insist that copyrights and patents are necessary for creating the incentives to create or to innovate in a market. Yet, Raustiala and Sprigman carefully detail a bunch of different industries that don't have intellectual property protection, and over and over again, they see the same thing: more competition and more innovation, rather than less. For many years, we've highlighted the fact that it is frequently competition that drives innovation, yet so much of our public policy is based on the fallacy that it's monopoly rights that drive innovation. Thus, the Knockoff Economy is a really useful work in highlighting that perhaps the very premise that so much intellectual property protection is based on is wrong.
That's not to say, necessarily, that copyrights or patents have no place (though I know some of you do believe that) at all in modern society. But, at the very least, we should be looking at what is the actual impact of those laws, and are they really increasing innovation or doing something else entirely.
All of this is no surprise, as just a couple of months ago the intelligence community's top lawyer flat-out admitted that he and his friends planned to wait for the next terrorist attack to push their agenda.
Of course, over the past few days, the following has happened:
So that seems to be the story so far, despite what you may have seen with hand-wringing and all sorts of freakouts in the press about encryption.
Yes, preventing terrorism is important. And it would be great if the intelligence community were actually able to do that. But it seems pretty clear that mass surveillance techniques aren't doing much to help at all, though it is diminishing the privacy of everyday citizens. Perhaps before rushing to expand the surveillance state and undermine the encryption that actually does keep us all safe, we should recognize reality, rather than the fantasy-land pronouncements of FBI Director James Comey, CIA Director John Brennan and their friends.
Famous TV news talking head Ted Koppel recently came out with a new book called Lights Out: A Cyberattack, A Nation Unprepared, Surviving the Aftermath. The premise, as you may have guessed, is that we're facing a huge risk that "cyberattackers" are going to take down the electric grid, and will be able to take it down for many weeks or months, and the US government isn't remotely prepared for it. Here's how Amazon describes the book:
Investigative reporting that reads like fiction - or maybe I just wish it was fiction. In Lights Out, Ted Koppel flashes his journalism chops to introduce us to a frightening scenario, where hackers have tapped into and destroyed the United States power grids, leaving Americans crippled. Koppel outlines the many ways our government and response teams are far from prepared for an un-natural disaster that won't just last days or weeks - but months - and also shows us how a growing number of individuals have taken it upon themselves to prepare. Whether you pick up this book to escape into a good story, or for a potentially potent look into the future, you will not be disappointed.
The book also has quotes ("blurbs" as they're called) from lots of famous people -- nearly all of whom are also famous TV news talking heads or DC insiders who have a long history of hyping up "cyber" threats. But what's not on the list? Anyone with any actual knowledge or experience in actual computer security, especially as it pertains to electric grids.
Want to know how useful the book actually is? All you really need to read is the following question and answer from an interview Koppel did with CSO Online:
Did you interview penetration testers who have experience in the electric generation/transmission sector for this book?
No, I did not.
Also in that interview, Koppel admits that he hasn't heard anything from actual information security professionals (though he admits he may have missed it since he's been on the book tour). But, still, if you're writing an entire book with a premise based entirely on information security practices, you'd think that this would be the kind of thing you'd do before you write the book, rather than after it's been published. Instead, it appears that Koppel just spoke to DC insiders who have a rather long history of totally overhyping "cyberthreats" -- often for their own profits. In another interview, Koppel insists that he didn't want to be spreading rumors -- but doesn't explain why he didn't actually speak to any technical experts.
“Going in, what I really wanted to do was make sure I wasn’t just spreading nasty rumors,” said Koppel in a phone interview.... “After talking to all these people, I satisfied my own curiosity that this not just a likelihood but almost inevitable.”
"All these people"... who apparently did not include any computer security experts. Koppel claims that this isn't a priority because Homeland Security doesn't want to "worry" the American public:
“The public would have to understand it’s a plan that will work but if you don’t have a plan, that can be more worrisome. I just hope it becomes part of the national conversation during the presidential campaign.”
What?!? Homeland Security doesn't want to worry the American public? Which Homeland Security is he talking about? The one that manhandles the American public every time they go to an airport? The same one that is constantly fearmongering about "cyber attacks" and "cyber Pearl Harbor"? Is Koppel living in some sort of alternative universe?
Is there a chance that hackers could take down electric grids and it would cause serious problems? Sure. Anything's possible, but somehow we've gotten along without a single incident ever of hackers taking down any part of the electrical grid to date. And most actual information security professionals don't seem to think it is a "likely" scenario as Koppel claims. The whole thing seems to fit into the usual category of cyberFUD from political insiders who are salivating over the ability to make tons and tons of money by peddling fear.
Is it important to protect infrastructure like the electric grids? Yes. Should we be aware of actual threats? Absolutely. But overhyping the actual threat doesn't help anyone and just spreads fear... and that fear is quickly lapped up by people who will use it to profit for themselves.
The $59.99 Ultimate CompTIA Advanced Training Bundle will help you master some of the most in-demand IT skills and prepare you for passing the CompTIA exams (exams must be scheduled at outside testing centers and are not included in the bundle). The four courses cover network security and risk management training, how to manage Linux-based clients and server systems, project leadership and management, and how to implement and maintain cloud technologies. You have access to the courses for 2 years so you can pace yourself anyway you'd like while learning some very important IT skills.
Note: The Techdirt Deals Store is powered and curated by StackCommerce. A portion of all sales from Techdirt Deals helps support Techdirt. The products featured do not reflect endorsements by our editorial team.
from the let's-put-the-blame-where-it-belongs dept
Over the past few days, we've been highlighting the fever pitch with which the surveillance state apologists and their friends have been trampling over themselves to blame Ed Snowden, blame encryption and demand (and probably get) new legislation to try to mandate backdoors to encryption.
And yet, as we noted yesterday, it now appears that the attackers communicated via unencrypted SMS and did little to hide their tracks. On top of that, as Ryan Gallagher at the Intercept notes, some of the attackers were already known to law enforcement and the intelligence community as possible problems. But they were still able to plan and carry out the attacks. Even more to the point, Gallagher points out that after looking at the 10 most recent high profile terrorist attacks, the same can be said for each of them:
The Intercept has reviewed 10 high-profile jihadi attacks carried out in Western countries between 2013 and 2015..., and in each case some or all of the perpetrators were already known to the authorities before they executed their plot. In other words, most of the terrorists involved were not ghost operatives who sprang from nowhere to commit their crimes; they were already viewed as a potential threat, yet were not subjected to sufficient scrutiny by authorities under existing counterterrorism powers. Some of those involved in last week’s Paris massacre, for instance, were already known to authorities; at least three of the men appear to have been flagged at different times as having been radicalized, but warning signs were ignored.
Nicholas Weaver, writing over at Lawfare, has a really fantastic article over "the limits of the panopticon" that basically puts all of this into perspective, noting (1) with so many "known radicals" to follow, there is no way for the intelligence community/law enforcement to actually get the information to predict these attacks and (2) there are plenty of ways for people who know each other to communicate, even without encryption, that won't increase suspicion.
First, the sheer volume of “known radicals” –at least 5000—makes prospective monitoring impossible. How does one effectively monitor 5000 individuals and identify who among them will pose an actual threat? After all, most never will. It didn’t matter that Salah Abdeslam used his own name and credit card when booking his hotel room. Abdeslam was simply one of thousands identified as maybe or maybe not posing a threat.
Even reducing the volume of targets may be insufficient. Assuming the authorities were able to focus on 500 or 50 individuals instead of 5000, the communication patterns of a terrorist cell are remarkably similar to those of any family or group. Unless authorities are aware that an individual is actively (rather than potentially) dangerous, electronic monitoring may provide little prospective benefit, unless they can intercept the contents of a communication that makes a threat clear.
But the communication content of an even minimally proficient terrorist provides little value. Human codes are often employed. We now know that final coordination took place using unencrypted SMS, but unless one already has already identified the terrorist cell and at least some basic details of a plot, tracking an SMS that says "On est parti on commence" (which roughly translates to “Let’s go, we’re starting”) provides little actionable intelligence.
In other words, all the calls for increased surveillance and less encryption really seem like a smoke screen by an intelligence community that failed. It's entirely possible that their job is an impossible one, but at the very least we should be dealing in that reality. Instead, the intelligence community that failed is doing everything possible to shift the blame to encryption and Snowden, rather than admitting the fact that they knew who these people were, that encryption wasn't the issue and that maybe doubling down on those policies won't help at all. Of course, it might take some of the pressure off of them for failing to prevent the attack.
Still, as we've noted, almost every case of a "prevented" attack hasn't involved actual plotters, but rather the fake cooked-up plots by the FBI itself. So, we seem to have a law enforcement and intelligence community that is terrible at stopping real plots, but really good at putting unrelated people in jail for made-up plots. And now they want more power for surveillance and to undermine the encryption that keeps us all safe?
Current and former government officials have been pointing to the terror attacks in Paris as justification for mass surveillance programs. CIA Director John Brennan accused privacy advocates of "hand-wringing" that has made "our ability collectively internationally to find these terrorists much more challenging." Former National Security Agency and CIA director Michael Hayden said, "In the wake of Paris, a big stack of metadata doesn't seem to be the scariest thing in the room."
Ultimately, it's impossible to know just how successful sweeping surveillance has been, since much of the work is secret. But what has been disclosed so far suggests the programs have been of limited value. Here's a roundup of what we know.
An internal review of the Bush administration's warrantless program – called Stellarwind – found it resulted in few useful leads from 2001–2004, and none after that. New York Times reporter Charlie Savage obtained the findings through a Freedom of Information Act lawsuit and published them in his new book, Power Wars: Inside Obama's Post–9/11 Presidency:
[The FBI general counsel] defined as useful those [leads] that made a substantive contribution to identifying a terrorist, or identifying a potential confidential informant. Just 1.2 percent of them fit that category. In 2006, she conducted a comprehensive study of all the leads generated from the content basket of Stellarwind between March 2004 and January 2006 and discovered that zero of those had been useful.
In an end note, Savage then added:
The program was generating numerous tips to the FBI about suspicious phone numbers and e-mail addresses, and it was the job of the FBI field offices to pursue those leads and scrutinize the people behind them. (The tips were so frequent and such a waste of time that the field offices reported back, in frustration, "You're sending us garbage.")
In 2014, the President's Review Group on Intelligence and Communications Technologies analyzed terrorism cases from 2001 on, and determined that the NSA's bulk collection of phone records "was not essential to preventing attacks." According to the group's report,
In at least 48 instances, traditional surveillance warrants obtained from the Foreign Intelligence Surveillance Court were used to obtain evidence through intercepts of phone calls and e-mails, said the researchers, whose results are in an online database.
More than half of the cases were initiated as a result of traditional investigative tools. The most common was a community or family tip to the authorities. Other methods included the use of informants, a suspicious-activity report filed by a business or community member to the FBI, or information turned up in investigations of non-terrorism cases.
Another 2014 report by the nonprofit New America Foundation echoed those conclusions. It described the government claims about the success of surveillance programs in the wake of the 9/11 attacks as "overblown and even misleading."
An in-depth analysis of 225 individuals recruited by al-Qaeda or a like-minded group or inspired by al-Qaeda's ideology, and charged in the United States with an act of terrorism since 9/11, demonstrates that traditional investigative methods, such as the use of informants, tips from local communities, and targeted intelligence operations, provided the initial impetus for investigations in the majority of cases, while the contribution of NSA's bulk surveillance programs to these cases was minimal.
Edward Snowden's leaks about the scope of the NSA's surveillance system in the summer of 2013 put government officials on the defensive. Many politicians and media outlets echoed the agency's claim that it had successfully thwarted more than 50 terror attacks. ProPublica examined the claim and found "no evidence that the oft-cited figure is accurate."
It's impossible to assess the role NSA surveillance played in the 54 cases because, while the agency has provided a full list to Congress, it remains classified.
The NSA has publicly discussed four cases, and just one in which surveillance made a significant difference. That case involved a San Diego taxi driver named Basaaly Moalin, who sent $8,500 to the Somali terrorist group al-Shabab. But even the details of that case are murky. From the Washington Post:
In 2009, an FBI field intelligence group assessed that Moalin's support for al-Shabab was not ideological. Rather, according to an FBI document provided to his defense team, Moalin probably sent money to an al-Shabab leader out of "tribal affiliation" and to "promote his own status" with tribal elders.
Also in the months after the Snowden revelations, the Justice Department said publicly that it had used warrantless wiretapping to gather evidence in a criminal case against another terrorist sympathizer, which fueled ongoing debates over the constitutionality of those methods. From the New York Times:
Prosecutors filed such a notice late Friday in the case of Jamshid Muhtorov, who was charged in Colorado in January 2012 with providing material support to the Islamic Jihad Union, a designated terrorist organization based in Uzbekistan.
Mr. Muhtorov is accused of planning to travel abroad to join the militants and has pleaded not guilty. A criminal complaint against him showed that much of the government's case was based on intercepted e-mails and phone calls.
Local police departments have also acknowledged the limitations of mass surveillance, as Boston Police Commissioner Ed Davis did after the Boston Marathon bombings in 2013. Federal authorities had received Russian intelligence reports about bomber Tamerlan Tsarnaev, but had not shared this information with authorities in Massachusetts or Boston. During a House Homeland Security Committee hearing, Davis said,
"There's no computer that's going to spit out a terrorist's name. It's the community being involved in the conversation and being appropriately open to communicating with law enforcement when something awry is identified. That really needs to happen and should be our first step."
Republished from ProPublica.
ProPublica is a Pulitzer Prize-winning investigative newsroom. Sign up for their newsletter.
By now you probably know the drill: Comcast will do something incredibly stupid, and a customer that has been struggling to get the company to fix it for a year (or longer) will have absolutely no luck getting the issue resolved. They'll subsequently contact the media out of frustration and (especially if the screw up goes viral) Comcast will finally resolve the problem -- usually within a day. The company then trots out claims that this is simply an "anecdotal" experience and not representative of the great care and skill with which it manages its beloved customers. Rinse, wash, repeat.
The latest story of this type comes from a Comcast customer of eight years who was incorrectly over-billed for service by the cable company. Not recognizing its own error, the company also sent collection agencies after the customer to obtain money never actually owed them. And, as always, the user attempted for eighteen months to get Comcast to realize its screw up to no avail:
"I called Comcast a total of 10 times beginning 5/31/2014 and wasted at least 10 hours of my life trying to fix a problem that they created,” Mueller told Ars. “In making those calls I was hung up on, transferred, and dismissively told to just wait it out.”
The problem was seemingly fixed in November 2014, yet almost exactly one year later Mueller got a letter from another collection agency. More calls to Comcast this month didn’t fix the problem immediately, and Mueller contacted Ars out of frustration."
A problem that never should have happened in the first place? Check. Apathetic and incompetent support? Check. Being forced to contact the press in the hopes somebody can light a fire under Comcast's ass? Check. It's not hyperbole to state that this sort of thing happens weekly in news outlets all over the country, and the negative public sentiment and press generated by this incompetence lambada was a big reason regulators scrapped the company's attempted acquisition of Time Warner Cable. Even magician and top Comcast lobbyist David Cohen couldn't fix what was broken.
Of course, as the story always goes, once the press was contacted it was a trivial problem for Comcast to fix:
"It blows me away that the burden is on me to fix their mistake and that it is taking so much of my resources,” Mueller told us. “I really would like to bill them for my time.” Mueller was also worried the collection agencies' involvement would harm his credit rating. After talking to Mueller, we reached out to our contacts in Comcast’s public relations group on Thursday last week. A Comcast spokesperson researched the issue, and the very next day someone else from Comcast called Mueller to tell him that the problem was fixed for good."
Why, after a decade of stories like this, is the press still responsible for fixing Comcast's screw ups? Because Comcast customers are either too lazy to switch, or don't have an adequate TV or broadband service to switch to. And as the industry continues to consolidate into just a handful of players (AT&T buys DirecTV, Charter buys Time Warner Cable and Bright House), the incentive to compete on both fronts decreases further as geographic dominance grows. These giant, publicly traded companies then usually look to customer service budget cuts first when trying to please Wall Street with relentlessly better quarter over quarter results.
The problem is, no matter how many times this pattern has repeated over the last decade, Comcast never seems to get any better at its job. Claims that it recognizes its own dysfunction and promises to improve are now a yearly phenomenon for Comcast, yet customer satisfaction studies never budge. It's pathetic that it takes press intervention to routinely fix fairly basic mistakes that balloon into legendary annoyance; if Comcast can't get its household in order perhaps it can start paying those folks (be it Reddit users or the media) who keep having to play the middle man.
Historically, the cable and broadcast industry has responded to Internet video competition in the only way a mammoth legacy industry knows how: denial, dirty tricks, price hikes, more dirty tricks, and more denial. And instead of giving customers what they want (lower prices, ad skipping technology, more flexibility in programming packages) they've arguably often made things worse -- like stuffing more ads into every viewing hour.
Nielsen data suggests that ad time per hour on has gone up from 14:27 to 15:38 minutes per hour on cable, and 13:25 to 14:15 minutes per hour on broadcast -- since 2009. When all the ads wouldn't fit, they'd just edit or speed up the programs, or utilize more product placement. All while raising rates on consumers at four times the pace of inflation. But there's a small indication that the cable and broadcast industry may have finally started realizing they can no longer get away with this in the Netflix age.
"We know one of the benefits of an ecosystem like Netflix is its lack of advertising,” Howard Shimmel, chief research officer at Time Warner’s Turner Broadcasting, said in an interview. “Consumers are being trained there are places they can go to avoid ads."
"Viacom CEO Philippe Dauman talked about cutting ad loads during an investor conference in September. Viacom has been working on non-Nielsen metrics to sell advertising as more of its younger viewers watch on non-traditional platforms..."With those kicking in we’ll be in position—we’ve been talking to a lot of advertisers about it, which they like—to reduce ad load in primetime across our networks, which will improve the consumer experience and drive pricing," Dauman said.
Granted we're not out of the deep, dark denial woods quite yet. These companies may be cutting ad load but they're just charging more for the same ads, hoping they can rebalance the books and ignore the Internet video revolution waiting in the wings. Many other execs still see cord cutting as a bit of a fad, one that will reverse itself once Millennials procreate. The reality is that you'll know the cable and broadcast industry is finally taking Internet video seriously when they do the one thing most of the industry's execs are utterly terrified of: competing on price.
It's a commonplace that software permeates modern society. But it's less appreciated that increasingly it permeates many fields of science too. The move from traditional, analog instruments, to digital ones that run software, brings with it a new kind of issue. Although analog instruments can be -- and usually are – inaccurate to some degree, they don't have bugs in the same way as digital ones do. Bugs are much more complex and variable in their effects, and can be much harder to spot. A study in the F1000 Research journal by David A. W. Soergel, published as open access using open peer review, tries to estimate just how much of an issue that might be. He points out that software bugs are really quite common, especially for hand-crafted scientific software:
It has been estimated that the industry average rate of programming errors is "about 15-50 errors per 1000 lines of delivered code". That estimate describes the work of professional software engineers -- not of the graduate students who write most scientific data analysis programs, usually without the benefit of training in software engineering and testing. The recent increase in attention to such training is a welcome and essential development. Nonetheless, even the most careful software engineering practices in industry rarely achieve an error rate better than 1 per 1000 lines. Since software programs commonly have many thousands of lines of code (Table 1), it follows that many defects remain in delivered code -- even after all testing and debugging is complete.
To take account of the fact that even when there are bugs in code, they may not affect the result meaningfully, and that there's also the chance that a scientist might spot them before they get published, Soergel uses the following formula to estimate the scale of the problem:
Number of errors per program execution =
total lines of code (LOC)
* proportion executed
* probability of error per line
* probability that the error meaningfully affects the result
* probability that an erroneous result appears plausible to the scientist.
He then considers some different cases. For what he calls a "typical medium-scale bioinformatics analysis":
we expect that two errors changed the output of this program run, so the probability of a wrong output is effectively 100%. All bets are off regarding scientific conclusions drawn from such an analysis.
Things are better for what he calls a "small focused analysis, rigorously executed": here the probability of a wrong output is 5%. Soergel freely admits:
The factors going into the above estimates are rank speculation, and the conclusion varies widely depending on the guessed values.
But he rightly goes on to point out:
Nonetheless it is sobering that some plausible values can produce high total error rates, and that even conservative values suggest that an appreciable proportion of results may be erroneous due to software defects -- above and beyond those that are erroneous for more widely appreciated reasons.
That's an important point, and is likely to become even more relevant as increasingly complex code starts to turn up in scientific apparatus, and researchers routinely write even more programs. At the very least, Soergel's results suggest that more research needs to be done to explore the issue of erroneous results caused by bugs in scientific software -- although it might be a good idea not to use computers for this particular work....
Physical cash seems to be a bit less popular than it once was. Some European countries are even contemplating completely digital currencies to combat the potential side effects of negative interest rates (i.e. people taking out all of their savings as cash). At the same time, Bitcoin and other cryptocurrencies could provide other means of payments without dealing with physical cash. So are we ready for a cashless society? (No, probably not for some time.) However, digital currencies could take away the importance of centralized banking, bit by bit. Perhaps some older forms of savings will make a comeback.