Mercury Rising 鳯女

Politics, life, and other things that matter

Archive for the ‘computers and software’ Category

Test for Heartbleed

Posted by Charles II on April 11, 2014

As you may know, a very basic vulnerability in the Internet has been discovered, one that may have permitted passwords to be stolen for up to two years. Kaspersky has recommended a test for servers here. The default is for Internet Exploder, but there is also a variant for Firefox and Chrome:

Luckily, there is a long list of popular websites that were checked against the vulnerability. Good news: PayPal and Google are unaffected. Bad news: Yahoo, Facebook, Flickr, Duckduckgo, LastPass, Redtube, OkCupid, 500px and many others was vulnerable. Get ready to act if you have an account on those vulnerable sites

Here’s a list of vulnerable sites.

Before you change passwords–which is what you need to do–make sure that the patch has been applied.

It would really help if the NSA would devote itself to fixing the Internet rather than spying on Americans. They’re the first ones to know about vulnerabilities, when they’re not creating them.

Via Ars Technica, an interview in the Sydney Morning Herald with the software developer who is responsible for Heartbleed:

Dr Seggelmann, of Münster in Germany, said the bug which introduced the flaw was “unfortunately” missed by him and a reviewer when it was introduced into the open source OpenSSL encryption protocol over two years ago.

“I was working on improving OpenSSL and submitted numerous bug fixes and added new features,” he said.

“In one of the new features, unfortunately, I missed validating a variable containing a length.”

After he submitted the code, a reviewer “apparently also didn’t notice the missing validation”, Dr Seggelmann said, “so the error made its way from the development branch into the released version.” Logs show that reviewer was Dr Stephen Henson.

Dr Seggelmann said the error he introduced was “quite trivial”, but acknowledged that its impact was “severe”.

Posted in computers and software, NSA eavesdropping | 1 Comment »

More on the Aaron Swartz story

Posted by Charles II on January 31, 2013

We previously covered the tragic story of Aaron Swartz, who was hounded to his death by a prosecution that seemed malicious and disproportionate, charging him with 13 felonies for downloading publicly-accessible files from MIT’s JSTOR account–even though JSTOR refused to say Swartz had stolen data. It is increasingly evident that the prosecution was completely wrong-headed. Scott Horton:

The flaw in Ortiz’s posture has been laid bare by Chief Judge Alex Kozinski of the Ninth Circuit Court of Appeals. In United States v. Nosal, he dismissed the theory Ortiz used to go after Swartz, saying it would potentially criminalize “everyone who uses a computer in violation of computer use restrictions — which may well include everyone who uses a computer.” Kozinski was born and raised in Communist Romania, and knows a thing or two about totalitarian states — and he knows that prosecutorial overbreadth is their leitmotif. If conduct can be charged so broadly as to cover virtually everyone, then prosecutorial discretion effectively becomes a license to persecute anyone who stands in the state’s way. Radley Balko and Clive Crook have each focused on this concern about the Swartz case. I share the essence of their analyses.

The Ninth Circuit is California, whereas Boston is First Circuit. So an opinion by Kozinski isn’t binding on whoever would have tried the case in Massachusetts District Court. But Ortiz would have done well to consider what he said, which is (in my layman’s interpretation) computers aren’t somehow special. Just because you do something using a computer does not automatically convert what would otherwise be a civil wrong (tort) or infraction of institutional rules into espionage, treason, or some other arcane crime. If you take confidential information from your employer, it shouldn’t matter whether it was in a filing cabinet or on a computer. It’s wrong, but probably not a felony.

Maybe someday enough prosecutors and judges will understand computers to get this simple idea: there’s nothing special about them.

Posted in abuse of power, computers and software | 3 Comments »

Another sacrifice to Pluto/updated

Posted by Charles II on January 13, 2013

http://www.youtube.com/watch?v=Fgh2dFngFsg&feature=player_embedded#!

(Video via UnaSpenser, DK)

Via Scott Lemieux at Lawyers, Guns, and Money, lawyer Larry Lessig tells the tragic tale of a young, infinitely-talented, public-spirited man brought to suicide by malicious prosecution, under the Computer Fraud and Abuse Act. Among his accomplishments (By Anne Cai, MIT Daily Tech):

The accomplished [Aaron] Swartz co-authored the now widely-used RSS 1.0 specification at age 14, founded Infogami which later merged with the popular social news site reddit, and completed a fellowship at Harvard’s Ethics Center Lab on Institutional Corruption. In 2010, he founded DemandProgress.org, a “campaign against the Internet censorship bills SOPA/PIPA.”

Rick Perlstein of the Nation remembers him as a friend:

I remember a creature who seemed at first almost to be made up of pure data, disembodied—a millionaire, I had to have guessed, given his early success building a company sold to Condé Nast, but one who seemed to live on other people’s couches. (Am I misremembering that someone told me he crashed in his apartment for a while, curling up to sleep under a sink?)

Only slowly, it seems, did he come to learn that he possessed a body. This is my favorite thing he wrote: about the day “I looked up and realized I couldn’t read the street sign. I definitely used to be able to read that sign, but there it was, big and bright and green along the highway, and all I could make out was a blur. I had gone blind.” Legally blind, it turned out; and then when he got contact lenses, he gave us an account of what it felt like to leave Plato’s cave: “I had no idea the world really looked like this, with such infinite clarity. It looks like a modernist photo or a hyperreal film, everything in focus everywhere. Everyone kept saying ‘oh, do you see the leaves now?’ but the first thing I saw was not the leaves but the people. People, individuated, each with brilliant faces and expressions at gaits, the sun streaming down upon them. I couldn’t help but smile. It’s much harder being a misanthrope when you can see people’s faces.”

This kind man dedicated his life to making information accessible, not for his own profit, but for the good of us all. He was a leader in Stop SOPA, for exaqmple, which this blog supported.

But in making information accessible, he ran afoul of the commercial world. Offended that court documents compiled at public expense were sold back to the public by Pacer, Swartz downloaded a lot of it at his own expense, and made it available for free. Although this was legal, he had to face questioning by the FBI. What got him into trouble was that he downloaded scholarly papers from JSTOR to do the same thing. Although these articles are also produced at public expense, publishers collect enormous fees, often a dollar or more per page, to those who need to access them. With more and more journals fully electronic, this creates a dangerous chokepoint on technical knowledge that threatens small, entrepreneurial businesses.

When confronted, Swartz offered to return all copies, JSTOR did not see any reason to prosecute. MIT was less clear. But the prosecutor, Carmen Ortiz, decided to throw the book at him. Glenn Greenwald:

He adamantly refused to plead guilty to a felony because he did not want to spend the rest of his life as a convicted felon with all the stigma and rights-denials that entails. The criminal proceedings, as Lessig put it, already put him in a predicament where “his wealth [was] bled dry, yet unable to appeal openly to us for the financial help he needed to fund his defense, at least without risking the ire of a district court judge.”

According to Greenwald, if all the allegations by the Feds were correct, Swartz should have been prosecuted for simple trespass. He cites Timothy B. Lee:

Assuming the facts in the indictment are true, Swartz is something like a digital trespasser. Under Massachusetts law, such trespassing is punishable by a $100 fine and up to 30 days in prison. That seems about right: if he’s going to serve prison time, it should be measured in days rather than years.

At the bottom of this is the tension between art and commerce. Science, literature, and all creative endeavors are generated by an irrepressible impulse to add to the world. Their creators want to be rewarded by a livelihood, of course, but few obtain much of one. Instead, commerce takes the overwhelming portion of the rents of their work, whether it be the profits of publishers or of pharmaceutical companies. The public is told that laws preventing unauthorized reproduction are for the protection of the creator, but this is mostly false. If the primary beneficiary were the producer, then producers would be wealthy. Instead, the creative side of human life is being driven out of existence.

Nowhere is this more true than in scientific work, where access to the literature is the sine qua non of creativity. If small companies followed the laws and regulations to the letter, few would exist. In various ways, they circumvent them. Large companies do, too, though they pay for more of their literature. The people who Swartz would have benefited would have been small entrepreneurs, recent graduates with a dream, cranky old inventors, and all the other creative people who are what made America so technologically dynamic.

One more beautiful human life has been sacrificed to Pluto, god of Money. There are no words.
____________
Added: Expert witness Alex Stamos, who had planned to testify for Swartz, says that:

If I had taken the stand as planned and had been asked by the prosecutor whether Aaron’s actions were “wrong”, I would probably have replied that what Aaron did would better be described as “inconsiderate”. In the same way it is inconsiderate to write a check at the supermarket while a dozen people queue up behind you…

______________
Update: Tom Levinson at Balloon Juice believes that MIT, thanks to its new president Rafael Reif, has begun a serious self-examination of their role in Aaron Swartz’s death. I have my own view of MIT (see, for example this post). It is a school in some ways run by and for corporations: lots of fun if you are a player, but the system is easily corrupted. MIT could be/become a leader in championing open information, which would only be fair considering how much their entrepreneurial culture depends on what scientific publishers would call “theft of intellectual property.” Let’s hope so.

And emptywheel wants to know whether MIT brought in the Secret Service (my guess is not).

Posted in computers and software | 1 Comment »

You knew it had to be something like this: comment spam

Posted by Charles II on September 7, 2012

Via Ritholtz, an article from Greg Stevens of Kernel Mag on comment spam.

Posted in computers and software, wrong way to go about it | Comments Off

Apple: the dark side

Posted by Charles II on January 19, 2011

Apple makes many great products. But there’s a dark side. It can only say it’s a green company because it outsources its pollution. Jonathan Watts, The Guardian:

Apple is more secretive over its supply chain than nearly all of its rivals, says a report from leading Chinese environment groups.

Apple is more secretive about its supply chain in China than almost all of its rivals, according to a new report by anti-pollution activists who accuse the company’s products of degrading the environment and poisoning workers.

Despite its claim to be a leading promoter of corporate ethics worldwide, the maker of iPads and iPhones came joint bottom among 29 major IT firms in a transparency study drawn up by a coalition of China’s leading environmental groups.

“Behind their stylish image, Apple products have a side many do not know about – pollution and poison. This side is hidden deep within the company’s secretive supply chain,” claims a statement by the 36 groups involved in the Green Choice Initiative.

Their report – the fourth to look at the impact of global brands on China’s environment – considers the openness of IT firms and their responsiveness to reports of environmental violations at suppliers.

It follows a series of workplace poisonings, heavy metal contamination incidents and suicides at Chinese factories that supply materials and components for mobile phones and computers….

Hewlett Packard, British Telecom, Samsung, Sony, Siemens and Alcatel were credited as being the most responsive to third-party inquiries about alleged environmental violations.

Computers in general are a dirty industry. Heavy metals. Gold. Nasty acids. Petroleum-based plastics. And they are huge hogs of electrical power. It’s a shame Apple isn’t using some of its new wealth to lay up some treasure in heaven.

The Institute of Public & Environmental Affairs asks that you write to Apple at supplierresponsibility@apple.com.

[Added: Though if n-hexane is the culprit in some of these cases of illness, I'd worry more about a fire than anything else. The stuff is a light fraction of gasoline. You'd have to have a very heavy exposure to cause nerve damage].

Update: The story has hit the Financial Times.

Posted in computers and software, environment | 5 Comments »

DDOSlinquents

Posted by Charles II on January 1, 2011

Lance Whitney, CNET:

Hackers are increasingly hitting the Web sites of human rights and independent media groups in an attempt to silence them, says a new study released this week by Harvard University’s Berkman Center for Internet & Society.

Based on a survey of 45 groups, the report “Distributed Denial of Service Attacks Against Independent Media and Human Rights Sites” found that a large percentage said they’ve been targeted by distributed denial-of-service (DDoS) attacks from those who disagree with their viewpoints. The Web sites typically have been knocked offline for short periods of time but in some cases have been down for days….

One example cited in the Berkman Center’s study was that of Russian independent newspaper Novaya Gazeta. …Though Sokolov can’t be sure who’s behind the attacks, he believes the culprits are government-sponsored “Kremlin Youth” organizations.

And that’s presumably who was hitting Wikileaks. The American chapter of Kremlin Youth, otherwise known as Republicans.

Posted in computers and software, Flying Monkey Right | 2 Comments »

Malwhere. The attack on Iran.

Posted by Charles II on November 19, 2010

OK, our best ally in the Middle East is now all but openly boasting of using computer malware as part of a strategy of warfare (Broad and Sanger, NYT):

Experts dissecting the computer worm suspected of being aimed at Iran’s nuclear program have determined that it was precisely calibrated in a way that could send nuclear centrifuges wildly out of control.

Their conclusion, while not definitive, begins to clear some of the fog around the Stuxnet worm, a malicious program detected earlier this year on computers, primarily in Iran but also India, Indonesia and other countries.

The paternity of the worm is still in dispute, but in recent weeks officials from Israel have broken into wide smiles when asked whether Israel was behind the attack, or knew who was. American officials have suggested it originated abroad.

So, now, how exactly do we go about getting China to rein in its script kiddies, whether state-sponsored or no, who have been rifling through the Pentagon’s computers?

Completely losing our moral authority is a a very bad development. Probably less bad than bombing a country which constitutes no threat to us, but bad.

Finally, whoever wrote the code included a series of clues as to authorship inside it, and they’re things that Israel’s enemies would be unlikely to think of. So, add to the downside of undermining US leadership the fact that (a) the Israelis get the blame (b) it didn’t work, and (c) it included a bit of hubris of the kind that Whoever or Whatever is in charge of this world loves to punish.

Posted in computers and software, Iran, israel, nukes | 12 Comments »

The iPad: Yes Or No?

Posted by Phoenix Woman on April 4, 2010

So what do you think about the newest product from Apple?

Yea, nay, or somewhere in between?

Posted in computers and software | 3 Comments »

Dark pools and dreck pools

Posted by Charles II on March 7, 2010

Kevin Brown of FT has an important article here (FT asks that one not quote their articles, and the link requires login. I can guarantee that free access to FT is worth every penny and then some.)

The gist of the article is that Asians are increasingly taking trading off the floors of the exchanges and executing them privately. This practice, which is worldwide, is incredibly dangerous, adding the the already impulsive gambling style of stock market transactions which are for no obvious reason called “investment.”

These private transactions are called “dark pools.” They could allow, for example, an insider to dump his shares outside of normal trading hours and ahead of an announcement. They facilitate tax evasion, trading of phantom shares, over-leveraging (using an asset to back more borrowing than is warranted), and so on. Unfortunately, the author only cites vague regulatory concerns.

—-

Completely unrelated, Joseph Menn has an interesting piece about busting the Mariposa botnet and other computer criminals. Prior to Mariposa, Wired’s blogger Kevin Poulsen was less impressed by the threat of botnets, as was Ryan Singel, but it’s not clear whether this has changed their minds.

Posted in computers and software, financial crisis, stock market | 14 Comments »

The dangers of pet ownership

Posted by Charles II on November 8, 2009

From http://icanhascheezburger.com

Posted in cats, computers and software, guest cats, Just for fun | 1 Comment »

 
%d bloggers like this: