Friday, April 29, 2011

Copyright Law for the Digital Age

The Architecture of Access to Scientific Knowledge from lessig on Vimeo.

A very interesting talk by Larry Lessing at CERN. I have a few nits I would pick with his presentation but overall I think it is tremendous and worthy of viewing by anyone interested in science, education, the arts, the modern world, and the future of human civilization.

Thursday, April 28, 2011

Cyber War - The Glass Dragon

There is an excellent account at ThreatPost regarding China and the opening phase of Cyber War: Glass Dragon: China's Cyber Offense Obscures Woeful Defense.

It appears that China, while superb on offense is lacking somewhat on defense. The author, Paul Roberts, describes his tests on Chinese systems and finds them quite lacking. It appears that China has much the same weaknesses as the US and others based upon a distrust of open source and an insistence of reinventing systems. The result is system as open to attack and disrupt as ours, if not more so.

Two quotes says it all:
I think China is growing very fast and there aren't enough people to maintain the infrastructure. They have more networks and government sites than their own government can even maintain. They don't have the manpower or even the knowledge to maintain them. And, in many ways, China is still playing catch up with the US. They're an aggressor in cyberspace, but their own networks are very weak and poorly designed. I'm not saying that to shed a negative light on China, but there's so much out there that they just can't maintain it all. Beyond that, there's a lack of trust in Western products - even open source products. A fear that people will put back doors in them, which really misunderstands what open source is about, which is: if we have a lot of eyes looking at the code, people will spot problems and fix them.

Its really not hard. In fact, the amount of data I have found that is not intended for public consumption is amazing. I stopped after three terabytes. These systems are not maintained and are all vulnerable to attacks. HTTP is just one attack vector, but there are many others. For example: there was an LDAP server that was accessible from the Internet and it running a vulnerable version of PHP and, in addition, everything on the server was running as root. I find that a lot - its a bit of laziness by system administrators that makes their job easier. I was able to compromise the the server and then simply enumerate the directory and find other file servers and systems on the network that weren't connected to the Internet. Another example is China's National University of Defense Technology. They had a bunch of Web servers that weren't using SSL or HTTPS, so everyone was logging in using plain HTTP. All you needed to do was compromise one box and you could sniff all the user names and passwords in clear text.

Wednesday, April 6, 2011

Google Liable for AutoComplete Defamation

More legal news from Italy. An undisclosed plaintiff sued Google for defamation.

People searching via Google ... were apparently presented with autocomplete suggestions including truffatore ("con man") and truffa ("fraud")....

This "caused a lot of trouble to the client, who has a public image both as an entrepreneur and provider of educational services in the field of personal finance".

Google loses autocomplete defamation case in Italy

Since the auto-complete algorithm was created and maintained by Google the court ruled that Google is to be held responsible for the outcomes.

So what is the result of this? Google must make certain that no words like "loser, fool, fraud, dummy" comes up in their auto-complete? Does Google simply remove auto-complete entirely so as not to invite further lawsuits? I never was a big fan of Google's autocomplete but all this will accomplish is to prevent new products from entering the workplace.

This is another horrible court coming from the EU. I fear with the new privacy ruling, going into effect on May 25, whereby websites must get "explicit consent" from web users before being tracked with a cookie that the EU is destroying innovation and intent on "controlling" the internet. As regards the EU privacy law I'm still not certain if this law applies only to client-side cookies or applies to server-side and session variables as well.

Tuesday, April 5, 2011

Yahoo is Responsible for Illegal Downloads

There was a horrible decision from the Court of Rome. Apparently people could view pirated copies of a movie (About Elly) on line. The Court of Rome ordered Yahoo to remove any link to the unlawful copies of the movie.

The only reason the Court did not include Google and other SEs is because the Italian division of those companies did not have an active role in the management of the search engines and thus were outside the jurisdiction of the court.

If this decision stands then search engines would be responsible for the content found through their site. The court did say that it would be impossible for the SE to police the material themselves but was responsible for promptly acting when a copyrite holder makes a claim about pirated material. The court also took into consideration the fact that the illegal sites were ranked higher than the official site. SEO anyone? Bueller? Bueller?

The fact that a SE is, in anyway, responsible for the material on the web is a horrible precedence. Intentional or not this is the first step to shutting down commercial activity across the web; the first step to eliminated any non-approved site. This is a special concern to anyone who is interested in privacy rights and free speech.

I can't find an English translation of the case but if you can read Italian here it is.