MIRLN: September 2018

MIRLN --- 26 Aug - 15 Sept 2018 (v21.12) --- by Vince Polley and KnowConnect PLLC

Intel rips up microcode security fix license that banned benchmarking (The Register, 23 Aug 2018) - Intel has backtracked on the license for its latest microcode update that mitigates security vulnerabilities in its processors - after the previous wording outlawed public benchmarking of the chips. The software, released this month , counters the Foreshadow aka L1TF Spectre-related flaws in its CPUs. However, its terms of use and redistribution were problematic. Following The Register 's report on Tuesday that Linux distro Debian decided to withhold packages containing the microcode security fix over concerns about its license, open-source pioneer Bruce Perens out Intelfor trying to gag netizens. Intel's gagging order came in the form of this license clause: "You will not, and will not allow any third party to … publish or provide any Software benchmark or comparison test results." That made it impossible for free-software bastion Debian to push Intel's microcode to its users as a security update. The reason for Intel's insistence on a vow of silence is that - even with the new microcode in place - turning off hyper-threading is necessary to protect virtual machines from attack via Foreshadow - and that move comes with a potential performance hit. Red Hat, which evidently didn't get the memo to shut up about benchmarks, earlier this month noted : "The performance impact when HT is disabled is dependent on many factors. Measured impact ranges from a +30 per cent gain, to -50 per cent loss and beyond. Most HT testing, however, showed losses in the 0-30 per cent range." Predictably, Intel's contractual omertà had the opposite effect and drew attention to the problem. "Performance is so bad on the latest Spectre patch that Intel had to prohibit publishing benchmarks," said Lucas Holt, MidnightBSD project lead, via Twitter. top

Patent office shows new respect for software (Patently-O, 27 Aug 2018) - Software patents and applications are making a quiet comeback under Director Andrei Iancu's leadership of the U.S. Patent and Trademark Office. This is a welcome shift, since thousands of applications have been held captive in the Office in the wake of Supreme Court decisions culminating in Alice v. CLS Bank , 134 S.Ct. 2347 (2014). In the hands of reductionists, the Alice formula for rejection/invalidation was easy to apply. Every invention can be reduced to an abstract idea. Whatever is left can be explained away as "routine" or "conventional." In the last four years, many software patent applications suffered repeated rejection and the ignoble death of abandonment for lack of will or lack of funds. Even when granted, many software patents were mowed down in inter partes review (IPR) in the Patent Trial and Appeal Board (PTAB). The Federal Circuit's February 2018 decision in Berkheimer , 881 F.3d 1360 (citing Alice and other authority), paved the way for recent progress, holding that when there are genuine issues of material fact concerning alleged routineness or conventionality, evidence of the same must be presented before patent claims properly can be invalidated on such grounds. * * * top

Microsoft will soon automatically transcribe video files in OneDrive for Office 365 subscribers (TechCrunch, 28 Aug 2018) - today announced a couple of AI-centric updates for OneDrive and SharePoint users with an Office 365 subscription that bring more of the company's machine learning smarts to its file storage services. The highlight of these announcements is that starting later this year, both services will get automated transcription services for video and audio files. While video is great, it's virtually impossible to find any information in these files without spending a lot of time. And once you've found it, you still have to transcribe it. Microsoft says this new service will handle the transcription automatically and then display the transcript as you're watching the video. The service can handle over 320 file types, so chances are it'll work with your files, too. top

Open internet saves accused copyright infringer from liability (Patently-O, 29 Aug 2018) - Cobbler Nevada, LLC v. Gonzales ( 9th Cir. 2018 ) This copyright lawsuit involves cute Adam Sandler movie titled The Cobbler. In the movie, Sandler's character free-rides off of the experiences of others by using a magical shoe-cobbling machine. The movie copyright holders did not reciprocate that freedom when American Pirates began downloading and distributing the movie through BitTorrent. Cobbler-Nevada was able to trace the Internet Protocol (IP) address associated with the infringing activity and then filed suit in a John Doe lawsuit. Comcast responded to a subpoena in the case with information that the IP address was assigned to its customer Thomas Gonzales. The Copyright holder then amended its complaint to name Gonzales - accusing him of copyright infringement as well as contributory copyright infringement (for failing to secure his internet connection). Note here that Gonzales operates an adult care home and that the internet service was open to residents and visitors. The appeal here focuses on the pleadings and whether the complaint states a claim. In Iqbal , the Supreme Court explained that a complaint must be plausible - allegation of plausible facts that create a plausible "entitlement to relief." Reviewing the allegations here, the 9th Circuit found that the facts alleged against Gonzalez here are "not enough to raise a right to relief above a speculative level." (quoting Twombly ): * * * top

Bitcoin and other cryptocurrencies are useless (The Economist, 30 Aug 2018) - An old saying holds that markets are ruled by either greed or fear. Greed once governed cryptocurrencies. The price of Bitcoin, the best-known, rose from about $900 in December 2016 to $19,000 a year later. Recently, fear has been in charge. Bitcoin's price has fallen back to around $7,000; the prices of other cryptocurrencies, which followed it on the way up, have collapsed, too. No one knows where prices will go from here. Calling the bottom in a speculative mania is as foolish as calling the top. It is particularly hard with cryptocurrencies because, as our Technology Quarterly this week points out, there is no sensible way to reach any particular valuation. It was not supposed to be this way. Bitcoin, the first and still the most popular cryptocurrency, began life as a techno-anarchist project to create an online version of cash, a way for people to transact without the possibility of interference from malicious governments or banks. A decade on, it is barely used for its intended purpose. Users must wrestle with complicated software and give up all the consumer protections they are used to. Few vendors accept it. Security is poor. Other cryptocurrencies are used even less. With few uses to anchor their value, and little in the way of regulation, cryptocurrencies have instead become a focus for speculation. Some people have made fortunes as cryptocurrency prices have zoomed and dived; many early punters have cashed out. Others have lost money. It seems unlikely that this latest boom-bust cycle will be the last. Economists define a currency as something that can be at once a medium of exchange, a store of value and a unit of account. Lack of adoption and loads of volatility mean that cryptocurrencies satisfy none of those criteria. That does not mean they are going to go away (though scrutiny from regulators concerned about the fraud and sharp practice that is rife in the industry may dampen excitement in future). But as things stand there is little reason to think that cryptocurrencies will remain more than an overcomplicated, untrustworthy casino. top

- and -

Marshall Islands warned against adopting digital currency (BBC, 11 Sept 2018) - The Republic of the Marshall Islands has been warned against adopting a digital currency as a second form of legal tender. The International Monetary Fund (IMF) said the country, which consists of hundreds of islands in the Pacific Ocean, should "seriously reconsider". Currently, only the US dollar counts as legal tender in the islands. A law to adopt a digital currency named "Sovereign" alongside the dollar was passed in February. The first virtual coins are due to be issued to members of the public via an initial coin offering (ICO) later this year. However, IMF directors said the potential benefits of the move were much smaller than the potential costs of "economic, reputational and governance risks". "[Marshall Island] authorities should seriously reconsider the issuance of the digital currency as legal tender," wrote the directors in their report, which was first spotted by cryptocurrency news site Coindesk . There is just one domestic commercial bank in the country and it is at risk of losing its only correspondent banking relationship with another bank in the US. top

- and -

FINRA takes down an unregistered cryptocurrency security (TechCrunch, 12 Sept 2018) - FINRA, the non-profit organization that tasks itself with policing the securities industry, is charging Timothy Tilton Ayre of Agawam, Mass. with fraud and unlawful distribution of unregistered cryptocurrency securities. Ayre claimed that users could buy equity in his company, Rocky Mountain Ayre, Inc., buy purchasing HempCoin, a cryptocurrency. From the release : In the complaint, FINRA alleges that, from January 2013 through October 2016, Ayre attempted to lure public investment in his worthless public company, Rocky Mountain Ayre, Inc. (RMTN) by issuing and selling HempCoin - which he publicized as "the first minable coin backed by marketable securities" - and by making fraudulent, positive statements about RMTN's business and finances. RMTN was quoted on the Pink Market of OTC Markets Group and traded over the counter. According to the complaint, FINRA also alleges that in June 2015, Ayre bought the rights to HempCoin and repackaged it as a security backed by RMTN common stock. Ayre marketed HempCoin as "the world's first currency to represent equity ownership" in a publicly traded company and promised investors that each coin was equivalent to 0.10 shares of RMTN common stock. Investors mined more than 81 million HempCoin securities through late 2017 and bought and sold the security on two cryptocurrency exchanges. FINRA charges Ayre with the unlawful distribution of an unregistered security because he never registered HempCoin and no exemption to registration applied. Because FINRA is not a government body its charges are rarely very onerous but, in the case of brokerage fraud, Ayre could face further scrutiny if he tries to sell securities in the future. The company, Rocky Mountain Ayre, seems to be associated with a restaurant and medical marijuana sales operation, although it is unclear what the company actually does. top

FBI fights viral influence campaigns with informational videos (Nextgov, 31 Aug 2018) - With midterm elections fast approaching, the FBI on Thursday released a dozen informational videos detailing ways political campaigns can protect themselves against cyberattacks from foreign powers. The Protected Voices initiative covers a wide range of cybersecurity topics-including software patching, secure communications, password protection and browser safety-that can help campaigns fend off the most common attacks. "Foreign influence operations … are not a new problem," officials said on the site, "but the interconnectedness of the modern world, combined with the anonymity of the Internet, have changed the nature of the threat and how the FBI and its partners must address it." In the videos, FBI personnel explain how foreign actors use phishing emails, public Wi-Fi and insecure routers to infiltrate and disrupt campaigns, and how virtual private networks, cloud services and cyber hygiene principles could mitigate those threats. They stress that anyone who goes online regularly could benefits from such cyber best practices, not just political campaigns. [ Polley : these 5-minute videos are very good, and usable by everybody, not just election campaigns.] top

Court shuts down feds' attempt to expand the 'border search' exception to cover inland GPS monitoring (TechDirt, 6 Sept 2018) - Cyrus Farivar of Ars Technica has put together a hell of a read from a suppression order obtained by defendants in a drug case . It involves a truckload of cheese danishes, cocaine trafficking, and the US government's attempt to apply the "border exception" everywhere in the United States. At the heart of it is a GPS tracking device. The government installed it on a truck driven by suspected drug smugglers when it crossed the Canadian border into the US. It then used that device to track the truck as it traveled down to California. The resulting bust only uncovered some bags of sugar, but a previous stop of the same truck had turned up 194 kilos of cocaine. The defendants in the case have had the evidence suppressed. The ruling [PDF] was handed down late last month. It points to the Supreme Court's 2012 Jones decision , which held that placing GPS devices on vehicles was a search under the Fourth Amendment. Warrants are needed to place the devices. Long-term tracking is also out of the question if warrants aren't obtained. The government argued it didn't need a warrant because it placed the device on the truck at the Canadian border. This would be the " border exception " to the Fourth Amendment -- one carved out by the courts which allows all kinds of warrantless searches to be performed in the name of border security. But the judge doesn't buy this attempt to salvage ill-gotten evidence. The government cites a number of cases involving searches of vehicles performed at the border -- some more invasive than others -- where warrants weren't needed. The court finds these citations unavailing because they don't actually address what happened here: the placement of a GPS device at the border which was subsequently used to track a vehicle as it traveled far beyond the Canadian border. top

Prosecutors charge Russian accused of hacking JP Morgan, Dow Jones (TechCrunch, 10 Sept 2018) - New York prosecutors have extradited a Russian hacker accused of breaking into one of the world's largest banking institutions. Moscow resident Andrei Tiurin, 35, was charged Friday after he was extradited from neighboring Georgia, with the theft of over 80 million records from the bank in 2014. The alleged hacker is said to have been under the direction of Gery Shalon, who was separately indicted a year later following the breach. Tiurin was also charged wire and securities fraud, and aggravated identity theft, racking up the maximum possible prison time to over 80 years. Although the indictment did not name the New York-based financial news agency, The Wall Street Journal previously reported the victim as its parent company Dow Jones , following the following the first round of charges in 2015. Tiurin was also accused of trying to artificially inflate the "price of certain stocks publicly traded in the United States," and obtained "hundreds of millions of dollars in illicit proceeds" from various hacking campaigns. top

Vizio, sued for making creepy smart TVs, will notify customers via the TVs (ArsTechnica, 10 Sept 2018) - In what is likely a first in the industry, Vizio is on the verge of agreeing to display a class-action lawsuit message through its previously sold "Smart TV" televisions as part of a legal settlement. This message is meant to alert customers who bought the TV that they will be party to the forthcoming settlement and likely will get a small amount of money. As Ars has reported previously, the manufacturer has been under scrutiny since a revelation that it was snooping on its customers. The tracking started in February 2014 on both new TVs and previously sold devices that didn't originally ship with ACR software installed. The software periodically appended IP addresses to the collected data and also made it possible for more detailed personal information-including age, sex, income, marital status, household size, education level, home ownership, and home values-to be associated. In a court filing submitted last Wednesday, lawyers for both sides asked the judge to push back approval of the preliminary settlement to October 3. "The Parties are developing a class notice program with direct notification to the class through VIZIO Smart TV displays, which requires testing to make sure any TV notice can be properly displayed and functions as intended," they wrote. "The additional time requested will allow the parties to confirm that the notice program proposed in the motion for preliminary approval is workable and satisfies applicable legal standards." top

In a few days, credit freezes will be fee-free (Krebs on Security, 11 Sept 2018) - Later this month, all of the three major consumer credit bureaus will be required to offer free credit freezes to all Americans and their dependents. Maybe you've been holding off freezing your credit file because your home state currently charges a fee for placing or thawing a credit freeze, or because you believe it's just not worth the hassle. If that accurately describes your views on the matter, this post may well change your mind. * * * top

UK's mass surveillance regime violated human rights law, finds ECHR (TechCrunch, 13 Sept 2018) - In another blow to the UK government's record on bulk data handling for intelligence purposes the European Court of Human Rights (ECHR) has ruled that state surveillance practices violated human rights law. Arguments against the UK intelligence agencies' bulk collection and data sharing practices were heard by the court in November last year . In today's ruling the ECHR has ruled that only some aspects of the UK's surveillance regime violate human rights law. So it's not all bad news for the government - which has faced a barrage of legal actions (and quite a few black marks against its spying practices in recent years) ever since its love affair with mass surveillance was revealed and denounced by NSA whistleblower back in 2013. The judgement reinforces a sense that the government has been seeking to push as close to the legal line as possible on surveillance, and sometimes stepping over it - reinforcing earlier strikes against legislation for not setting tight enough boundaries to surveillance powers, and likely providing additional fuel for fresh challenges. The complaints before the ECHR focused on three different surveillance regimes: 1) The bulk interception of communications (aka 'mass surveillance'); 2) Intelligence sharing with foreign governments; and 3) The obtaining of communications data from communications service providers. * * * top

Security risks of government hacking (Bruce Schneier, 13 Sept 2018) - Some of us -- myself included -- have proposed lawful government hacking as an alternative to backdoors. A new report from the Center of Internet and Society looks at the security risks of allowing government hacking. They include: Disincentive for vulnerability disclosure; Cultivation of a market for surveillance tools; Attackers co-opt hacking tools over which governments have lost control; Attackers learn of vulnerabilities through government use of malware; Government incentives to push for less-secure software and standards; and Government malware affects innocent users. These risks are real, but I think they're much less than mandating backdoors for everyone. From the report's conclusion: Government hacking is often lauded as a solution to the "going dark" problem. It is too dangerous to mandate encryption backdoors, but targeted hacking of endpoints could ensure investigators access to same or similar necessary data with less risk. Vulnerabilities will never affect everyone, contingent as they are on software, network configuration, and patch management. Backdoors, however, mean everybody is vulnerable and a security failure fails catastrophically. In addition, backdoors are often secret, while eventually, vulnerabilities will typically be disclosed and patched. The key to minimizing the risks is to ensure that law enforcement (or whoever) report all vulnerabilities discovered through the normal process, and use them for lawful hacking during the period between reporting and patching. Yes, that's a big ask, but the alternatives are worse. This is the canonical lawful hacking paper [from 2014]. top

How the Times verifies eyewitness videos (Sept 14, 2018) - Was a video of a chemical attack really filmed in Syria? What time of day did an airstrike happen? Which military unit was involved in a shooting in Afghanistan? Is this dramatic image of glowing clouds really showing wildfires in California? These are some of the questions the video team at The New York Times has to answer when reviewing raw eyewitness videos, often posted to social media. It can be a highly challenging process, as misinformation shared through digital social networks is a serious problem for a modern-day newsroom. Visual information in the digital age is easy to manipulate, and even easier to spread. What is thus required for conducting visual investigations based on social media content is a mix of traditional journalistic diligence and cutting-edge internet skills, as can be seen in our recent investigation into the chemical attack in Douma, Syria . The following provides some insight into our video verification process. It is not a comprehensive overview, but highlights some of our most trusted techniques and tools. * * * top

RESOURCES

New draft article: "Compelled Decryption and the Privilege Against Self-Incrimination" (Volokh Conspiracy, Orin Kerr, 12 Sept 2018) - I recently posted to SSRN a new draft article, " Compelled Decryption and the Privilege Against Self-Incrimination ," forthcoming in the Texas Law Review . Here's the abstract: This essay considers the Fifth Amendment barrier to orders compelling a suspect to enter in a password to decrypt a locked phone, computer, or file. It argues that a simple rule should apply: An assertion of privilege should be sustained unless the government can independently show that the suspect knows the password. The act of entering in a password is testimonial, but the only implied statement is that the suspect knows the password. When the government can prove this fact independently, the assertion is a foregone conclusion and the Fifth Amendment poses no bar to the enforcement of the order. This rule is both doctrinally correct and sensible policy. It properly reflects the distribution of government power in a digital age when nearly everyone is carrying a device that comes with an extraordinarily powerful lock. As regular readers may note, I've blogged about these issues before. The new draft builds on the themes of my blog posts, elaborating on the argument and offering my responses to several counteraguments. Comments are very welcome, especially critical ones (and especially from techies). top

Ethics of Using Artificial Intelligence to Augment Drafting Legal Documents (David Hricik in TAMU's Journal of Property Law, 2018) - Skynet is not and may never be self-aware, but machines are already doing legal research, drafting legal documents, negotiating disputes such as traffic tickets and divorce schedules, and even drafting patent applications. Machines learn from us, and each other, to augment the ability of lawyers to represent clients - and even to replace lawyers completely. While it also threatens lawyers' jobs, the exponential increase in the capacity of machines to transmit, store, and process data presents the opportunity for lawyers to use these services to provide better, cheaper, or faster legal representation to clients. By way of familiar example, instead of determining whether a precedential opinion remains "good law" by manually going through multiple books - "Shepardizing a case" as an older lawyer would put it - lawyers can use on-line legal services to instantly learn, not just whether an earlier decision has been limited or overruled, but the depth of analysis given to the issue by a later court opinion. Because technology may be able to do some tasks better, or at a lower cost, or both, lawyers should use technology when it will, considering the risks, benefit clients. That obligation requires lawyers to stay "keep abreast of changes in. . . practice, including the benefits and risk associated with relevant technology. . . ." Assessing the benefits and risks of a particular technology obviously requires due diligence into the practical and legal risks of the technology, and comparing that to the benefits it brings to a representation. That assessment requires applying existing ethical rules in a process that can best be analyzed as comprising two stages. The first step requires determining whether the technology does what it is supposed to do in a reasonably competent manner. For example, just as a lawyer could not use a paralegal to use a form to create the first draft of a contract for a client if the paralegal's work was known to be unreliable or unreasonably expensive, a lawyer cannot use an automated contract drafting service with the same shortcomings. The first step, in other words, requires reasonable efforts by the lawyer to determine the competency of the service. If the service does not provide competent assistance, the lawyer obviously cannot use it. The second step requires determining whether a competent service can be used while complying with the ethical obligations of the lawyer, beyond competency. Just as a lawyer must ensure that non-lawyer employees and agents maintain the confidentiality of client information consistent with the lawyer's ethical obligations, he must do so with all services provided by third parties, including automated services. Likewise, lawyers must ensure non-lawyer assistants - even those who are independent contractors hired for a particular matter, and not firm employees - must not have conflicts of interest or violations of other ethical rules. This article focuses on the second step in the due diligence process. top

LOOKING BACK - MIRLN TEN YEARS AGO

(note: link-rot has affected about 50% of these original URLs)

Steal this Wi-Fi (Wired, Article by Bruce Schneier, 10 Jan 2008) - Whenever I talk or write about my own security setup, the one thing that surprises people - and attracts the most criticism - is the fact that I run an open wireless network at home. There's no password. There's no encryption. Anyone with wireless capability who can see my network can use it to access the internet. To me, it's basic politeness. Providing internet access to guests is kind of like providing heat and electricity, or a hot cup of tea. But to some observers, it's both wrong and dangerous. top

FTC adopts final Can-Spam rules (Steptoe & Johnson's E-Commerce Law Week, 22 May 2008) - The Federal Trade Commission announced on May 12 that it had approved new rules governing the regulation of commercial email under the CAN-SPAM Act. Most notably, the rules modify the definition of "sender" to address situations where a single email message contains advertisements from multiple parties. In such a situation, if only one person is identified in the "from" line of the commercial email, then this person will generally be considered the "sole sender" of the email and will be exclusively responsible for handling opt-out requests. Moreover, the rules state that a sender may not require a recipient of a commercial email message to pay a fee, provide information other than an email address and opt-out preferences, or take any steps other than sending a reply email or visiting a single webpage in order to opt-out of future emails. The rules become effective July 7, 2008. top

MIRLN

Saturday, September 15, 2018

MIRLN --- 26 Aug – 15 Sept 2018 (v21.12)

RESOURCES

LOOKING BACK - MIRLN TEN YEARS AGO

About Me

Blog Archive