Silicon Shecky

Infosec Practitioner

Connect

Can the DMCA Kill the Cloud?

By Leave a Comment

The DMCA (Digital Millennium Copyright Act) is a powerful tool for copyright holders. Take down notices get served to many websites daily to remove infringing items, yet many are false positives. Will the DMCA harm cloud computing? I think its a good possibility.

I recently read an interesting article on SC Magazine about a security researcher who had her MediaFire account suspended for 36 hours because of a DCMA notification. The infringing files she had on the account for years, and were malware files that had been or were being researched by her and others. There is also the case of speeches from the recent political conventions been taken down off You Tube because of automated filters to prevent DMCA take down notices. The amount of false positives reported to the news outlets it a small portion of what actually is out there, but they tend to make big news.

So what does this all have to do with killing the cloud? The answer is quite a lot. If the filters and DMCA searches are conducted in a way that can breed a lot of false positives, such as just going by file names and sizes, then what is to prevent a DMCA notice and fight over a companies private files that have the same name as some other companies files? Better yet, what if something is named too similar to something from the entertainment industry? a presentation that uses music, hey there can be a DMCA takedown notice right there if a file scanner digs into it, or if you leave the name of the song in the filename.

The idea being that all these notices can help make people gun shy about moving or even using the cloud. Copyright is needed, yet has been blown way out of proportion in its longevity. Life of the artist plus 75 years is way to long, considering that copyrights were meant to foster innovation, not to allow someone to sit back on their laurels. Now we see that it can affect researchers which are reaching to the cloud to help analyze items in a file. This can affect not only the infosec area but other areas such as medicinal or other science research. All this because one is guilty until proven innocent. This can and will affect the future in more ways than we can see at this time.

 

SOPA/PIPA: What Happens Now?

By Leave a Comment

This week there was protesting going on about SOPA and PIPA. The real question is, what happens now?

Congressmen are removing their support. the people who introduced the bills are removing the DNS blocking provisions. What more needs to happen is the question that they will ask.

First, lets start with this, a politicians promise is like a prostitute’s kiss. It is slimy and is not something you can believe. The fact that non of the congressmen who have backpedaled have given any clue as to what they now find objectionable outside of their constituents not liking the bill, is a worrisome sign. One that shows that they don’t really want to back off, and they are putting on a face until the fervor dies down. This is why we need to press the advantage right now to get these bills changed.

Karl W. Palachuk rightly claims in a Facebook post that 99% of the people who signed the petitions don’t know much about the bill. He though, like a lot of the people for the bills, try to make it about infringing versus not infringing. That is not the real problem. People like him who say that not supporting SOPA/PIPA is akin to being a pirate yourself are short sighted and wrong. The real issues are Cybersecurity, letting the foxes (RIAA/MPAA) guard the hen house, and no oversight. The Censorship angel is being used as a way to disguise these other issues that have been brought up.

For instance, there is a provision in SOPA that “bars the distribution of tools and services designed to get around such blacklists.” This is dangerous because sites such as Tor, which is used by people in places such as China and Iran to get around their firewalls, could create problems for VPNs, which could be used by people who work for multinational companies to get around the blacklists, and encryption which would prevent people from seeing what you are requesting on the net. Heck, to bypass some of the blocking/filtering, you could just modify your hosts file. Does that make every operating system illegal under SOPA?

Also think about this. The punishments in SOPA do not fit the crimes. Overbearing on the fines front, making these crimes a felony and setting jail times longer than those who beat up their wives or kids is just not right.

Now to further the argument, there is the Megaupload takedown which happened yesterday. this 2 year investigation with international cooperation sets a standard for taking down sites that are helping pirate stuff knowingly. Yes they have servers on American soil, but they are a multinational company, and Kim Dotcom was arrested in New Zealand. That right there shows that the DCMA combined with current law can take down pirates.

Yes Piracy is a problem. Then again its always been a problem. Should we shut down libraries because people might not (and do not) return books thereby getting them for free. Heck they read them for free through the library. You can get movies, music all of it for free from a library. Why not shut them down? The point being that no matter what, there will be it. I have yet to see confirmable numbers on what it actually is doing to the entertainment industry, but with the amounts of money the execs get pain in bonuses, it really can’t be hurting them too much.

You can go to sites like ArsTechnica.com and find a wealth of information about SOPA and PIPA, what they could do with the laws, extreme examples such as I have posted, and more. There is a wealth of good information out there, and people do need to actually take time to make educated decisions about these sorts of laws.

Finally, think about this. How often do the worst case scenarios come true? Look to the past, see what controversial laws have been enacted without oversight, and how they have been abused over the years. See what groups like the RIAA and MPAA have done in playing the role of Chicken Little (Cassette Tapes, VCRs etc..) over the years, and how they have been proven wrong. We have to decide at some point our own future and not let it get silently dictated to us by a bunch of corporate goons.

Oh Verizon, You are screwing up

By Leave a Comment

Extra charges for single online pay, 4G outages, the FTC starting to look at their business practices. Verizon, what have you done?

I was going to give a review of the Motorola Droid Razor today, but decided to push that off. See the Razor is available only through Verizon, and I noticed yet the start of another outage of 4G services this morning. Verizon has said these outages are growing pains, and were the 4G network brand new, I would accept that, but it is not. Verizon has had their 4G network up for just over a year, and should know how to handle growth. They were the ones who didn’t have the issues AT&T had with the explosion of smartphones. Of course that was CDMA vs. GSM. Now its LTE vs. LTE, and AT&T might have the advantage.

See both are using the LTE network, which requires the use of a SIM card. AT&T, whose network is still known for poor quality, and lots of drops, at least has a head start in dealing with the issues of a network that requires the SIM cards. I wish I had proof, but it seems that the SIM cards, or at least networks that require them, are not as stable here in the States as a network like CDMA which has no SIM card. (At the time of writing this, the 4G network just came back up after being inaccessible for an hour). It would be interesting to hear from someone on the differences between the two networks and why the ones that need SIM cards seem to be more unreliable.

Now this is on the heels of the FTC announcing it was probing Verizon over the $2 convenience fee it was going to charge and then pulled back on. Verizon’s statement is that even paying online has its costs. And they are right, there is equipment and software costs, maintenance on the systems, and hardening the equipment against hackers and other forms of data breaches. Still the costs are the same, whether for an automated system or if people pay individually. That is, unless they have to use 2 separate systems, or the company that is processing the payments is charging them an extra fee. Either way, there are other options to reduce the cost. If you think about it from a security standpoint though, the single payment, which I use, is a safer bet, not just from people knowing they have the money in their account, but from a security breach standpoint.

Just think about it. If you sign up for Automated payments, Verizon and the third party who processes the payments, both have your bank account or credit card information saved on servers. These servers are supposed to be PCI compliant. Even if they are, PCI compliance is a joke. Think of the banks (all of which have to follow at least PCI compliance) or stores (Which have to be PCI compliant) or anything that does online transactions, and how many breaches we hear of. Now think about how many breaches we don’t hear of, at least not immediately. Now look at single payment options, where you can choose not to save the payment info on their servers. Yes there are still problems that can arise from man in the middle attacks, spoofed SSL certificates, etc.. but once you make that payment, the info is not supposed to be stored anywhere. That means if Verizon, or their third party payment processor, has a security breach, your payment information should not be compromised. In reality it might just me being paranoid, but from a logic standpoint it does seem safer.

Now, Verizon did withdraw the $2 fee idea pretty quick, but expect to see it show back up again and again. The bigger thing Verizon has to worry about right now is the amount of bad press they are receiving. They need to remember that pissing one customer off means that customer is going to tell their friends and family, and eventually it can and will take a toll on business.