Yottabytes: Storage and Disaster Recovery


May 12, 2015  11:25 PM

Warrant Required for Border Laptop Searches, Judge Rules

Sharon Fisher Sharon Fisher Profile: Sharon Fisher
laptop, privacy, Security

Is a laptop more like a purse or a butt? Be prepared to explain your answer.

Since August 2009, civil libertarians have objected to a Department of Homeland Security that enables U.S. Customs and Border Patrol agents to search laptops and other electronic devices at the U.S. border, for large values of “at” – that is, within 100 miles of the border

100 miles might not sound like much, but according to the American Civil Liberties Union (ACLU), as of 2006, more than two-thirds of the U.S. population lived within 100 miles of the border. Altogether, it meant that anyone in that area with a laptop could have that laptop seized without a warrant, at any time, taken to a lab anywhere in the U.S., have its data copied, and searched for as long as Customs deemed necessary. And despite their objections, the policy has largely been upheld.

But earlier this month, a judge ruled that – following the lead of the Supreme Court ruling on the Riley case, which stated that law enforcement officials needed a warrant to search someone’s cell phone – customs officials needed to have probable cause before it could search someone’s laptop.

Let alone take it 150 miles, make an exact copy of its hard disk, and go on a fishing expedition through it at their leisure.

Why? Because the potential amount of personal data in a laptop makes such a search more like a strip search than searching a handbag, writes Judge Amy Berman Jackson of the U.S. District Court of the District of Columbia. Her ruling allows defendant Jae Shik Kim to suppress evidence the government found after seizing his laptop at Los Angeles International Airport.

“Border patrol agents with the Department of Homeland Security suspected Kim of illegally selling aircraft parts to Iran and seized his computer before allowing him to board a flight home to Korea in December 2012,” writes Lauren Williams in ThinkProgress. “The government cloned Kim’s hard drive, shipped it off to a forensic lab in San Francisco, and searched it for keywords, uncovering a series of ‘incriminating emails’ that formed the basis for the government’s case against Kim.”

That constituted unreasonable search and seizure, Jackson writes. “Given the vast storage capacity of even the most basic laptops, and the capacity of computers to retain metadata and even deleted material, one cannot treat an electronic storage device like a handbag simply because you can put things in it and then carry it onto a plane,” she writes. Quoting another such case, she writes, “A forensic search is far more invasive than any other property search that I have come across and, although it lacks the discomfort or embarrassment that accompanies a body-cavity search, it has the potential to be even more revealing.”

Hence the purse-or-butt question.

Needless to say, Kim’s attorneys hailed the ruling. “The government claimed that because Mr. Kim’s laptop was seized at the border, it was free to search the computer without having any suspicion that he was presently engaged in criminal activity, the same way the government is free to search a piece of luggage or a cargo container,” writes Kim’s attorneys. “Yet anyone who owns a laptop, smartphone, tablet, or any other personal mobile device, knows that the breadth and depth of private information stored within these gadgets are intimately tied to our identities and should be entitled to a heightened level of privacy.”

Similarly, civil libertarians are elated at the ruling, though for the time being it applies only to Jackson’s court, until an appeals court either affirms it or overturns it. “Our laptops and cellphones carry such a sensitive array of details of our lives, they cry out for more robust regulation under the Fourth Amendment,” Nate Wessler, a First Amendment and privacy attorney for the American Civil Liberties Union in New York, told ThinkProgress.

However, some legal beagles are concerned that the ruling won’t stand, because it doesn’t provide enough of a standard guide for when laptops can and can’t be searched, which the Supreme Court called for in Riley. “Judge Jackson’s totality-of-the-circumstances test seems like the kind of ‘ad hoc, case-by-case’ approach that the Supreme Court warned against in Riley,” writes Orin Kerr in the Volokh Conspiracy. In addition, it depends on whether the “reasonable suspicion” standard should be applied to the person or to the laptop, he writes.

Some of Jackson’s arguments about warrants could actually dissuade law enforcement from getting warrants in the first place, Kerr warns. He notes, though, that there simply isn’t any case law regarding when warrants are required.

“Once the computer is seized at the border and an image is made, what are the temporal limits on searching the image?” Kerr writes. “Do the agents have to do a warrantless search quickly, but then get a warrant after a certain period of time passes? Or can they keep searching for as long as they want? If there’s a time limit, what framework governs what that time limit is? Right now, we have no idea.”

May 6, 2015  4:27 PM

Pass the Popcorn: HP, Autonomy Going to Court

Sharon Fisher Sharon Fisher Profile: Sharon Fisher
Autonomy, HP

In another installment of Law and Order, HP-Autonomy Unit, court documents have been released that HP intends to use to back up its $5.1 billion lawsuit against Autonomy for fraud, based on what it says were artificially inflated revenues and sales. The company filed its lawsuit on March 30 and is filing documents now in preparation for actually having the case heard.

Needless to say, Autonomy isn’t taking this lying down. And, one has to say that, at least in the court of rhetoric rather than the court of law, Autonomy is winning. “We utterly refute the allegations made against us,” responded the former management of Autonomy, on a website managed by former CEO Mike Lynch intended to provide Autonomy’s side of the story. “HP has waged a three-year smear campaign riddled with half-truths and obfuscation. They have intentionally made the claims as complex and convoluted as possible.”

The lawsuit is “a continuation of HP’s transparent effort to generate one-sided publicity for its specious claims and false statements, avoid disclosure and engagement on the merits, bury HP’s own malfeasance, and insulate its directors and officers from liability,” thundered Autonomy’s attorneys. The response also went on to point out that the U.K.’s Serious Fraud Office had closed its investigation, saying there was insufficient evidence to convict Autonomy of fraud.

In addition, Lynch and the former management of Autonomy said in March, after HP filed its lawsuit, that it was also filing a £100 million lawsuit against HP, for “false and negligent statements.”

What the case boils down to will be a scintillating discussion of differing accounting methods between the U.S. and the U.K. “Much will depend on how these accounting differences between the U.S. and the U.K. are interpreted and applied in court,” writes Arik Hesseldahl in Re/code, a piece that includes complete copies of both HP’s and Autonomy’s court documents. “U.S. companies follow an accounting system known as Generally Accepted Accounting Practices, while U.K. companies adhere to a system known as International Financial Reporting Standards. The difference between them is important because GAAP rules establish clear practices for how revenue for software sales can be recognized, while IFRS rules treat software differently. Lynch has previously argued that at least some of HP’s allegations can be explained by the differences in accounting standards.”

Fortunately, the rhetoric and some aspects of the allegations make this far more interesting than the typical argument over accounting standards. “Dr. Mike Lynch used a deal with a Premiership football club to exaggerate growth of the software group, and offered to buy a Porsche for one of his salesmen if he sold hardware that made the company appear more dynamic than it actually was, Hewlett Packard has claimed,” writes This is Money, a U.K. financial site. “He also fired a US manager who raised questions over the company’s accounting policies, the documents allege.” Lynch says it was Autonomy’s chairman, not he, who fired the manager, and that it wasn’t unusual in the industry for salespeople to receive incentives.

As you may recall, this all started after HP’s monstrous $10 billion acquisition of Autonomy in 2011, for which nearly everyone agreed it overpaid. HP then took an $8 billion writedown on the deal, and since then the companies have been throwing lawyers at each other, in light of what some found to be, um, unconventional business practices on the part of Autonomy.

For its part, HP was sued by shareholders, and it’s racing the clock, writes Julie Bort in Business Insider. “HP was slammed with shareholder lawsuits, here and in the UK.,” she writes. “And HP has been jumping through some pretty serious hoops trying to settle them before it splits into two companies in the fall.” The U.S. Justice Department and Securities and Exchange Commission are also still investigating, writes Bloomberg Business.

Legal experts told the New York Times that the cases brought by both HP and Lynch will not be heard before early next year.


April 30, 2015  3:43 PM

Politicians: Before You Scrub Your Twitter History, Read This

Sharon Fisher Sharon Fisher Profile: Sharon Fisher
social media, Storage

The Internet is forever, they say. While this isn’t entirely true – Google “link rot” sometime – there seems to be no end of Internet youthful indiscretions that come to the light of day once their young perpetrators achieve majority and go on to do something useful with their lives.

You may recall earlier this year one of those young victims — Jeb Bush political action committee’s newly hired CTO, Ethan Czahor, who resigned scant days after his appointment when his Twitter history came to light.

Now, Czahor’s trying to help people avoid the mistakes he made. Not by, say, suggesting that people be more circumspect in what they post to social media, but by giving them a tool to help them find potentially offensive material, starting with Twitter, Facebook, and Instagram. The tool is called Clear – which is a really terrible name; try to Google it sometime – and at the moment it runs just on iOS.

It’s not that it’s been impossible for people to scrub their social media history before. It’s simply that the tool makes it easier to find material that some might see as potentially damaging. For example, if you didn’t know that it was impolitic to refer to women as sluts, this tool could helpfully let you know that.

“The app works by flagging postings that contain watchwords: the obvious four letter ones, as well as ‘gay,’ ‘Americans’ and ‘black,’” notes Time reporter Zeke Miller (who goes on to add that the tool scored him with a record low -2404). “Posts are also subjected to sentiment analysis, using IBM’s Watson supercomputer, to try to flag additional negative messages. The app’s algorithms are far from perfect, but it errs on the side of caution.”

(How in the world did Czahor get access to Watson?)

The software flags potentially problematic messages, and then lets you to decide whether to delete them. It can also only be used by people with access to the accounts, not by opponents, Miller adds. Future versions of the software could also work on email messages, personal blogs, and search results.

“There are caveats, of course,” warns Lisa Vaas in Naked Security. “There’s nothing to stop people from grabbing screen captures of postings, nor does this tool promise to reach into digital archives to erase anything.” Nonetheless, apparently the app is pretty popular; still in beta, it had a waiting list of more than 5,000 people earlier this month.

So what’s the problem?

Specifically in the case of politicians, we’ve written before about our concern when public servants are deleting the people’s business. And this is just another example of that. While we applaud Czahor’s ingenuity in making lemonade out of this particular lemon, and while we agree that yes, people should be allowed to move on with their lives without some particular online albatross hanging around their neck, there’s the we’ve-always-been-at-war-with-Eurasia aspect that’s concerning. How much do we want politicians to be able to change history, even their own?

Fortunately, we’re not the only ones who feel that way, which is why we feel honor-bound to let politicians know about something before they run off sanitizing their Twitter streams wholesale. In 2012, the Sunlight Foundation, a nonprofit dedicated to open government, started up a web page called Politwoops. The organization followed politicians and, as a public service, retweeted any Tweets they deleted and reposted the Tweets to a webpage, most recent first.

So here’s the thing. Politicians, pay attention: Any Tweets that get deleted not only get saved, but get posted to the Internet. So not only are the Tweets still there – albeit not in Twitter — but they will have new attention called to them. This is particularly true if it looks like somebody is deleting things in a big way in preparation for running for a higher office, as the Sunlight Foundation runs a weekly blog post with anything interesting that came up. In fact, it takes a point of pride in doing so.  “As a tweet ages and falls from the recent stream, it’s easier to quietly scrub those statements without getting attention — unless you’re a politician in Politwoops,” crows the organization.

David Weigel of Bloomberg notes, for example, that the Clear tool wouldn’t even have helped Czahor, who had already deleted the Tweets. “It would not have prevented Czahor himself from being caught out by Buzzfeed, which employed a reporter who knew how to find deleted info,” he writes. “It might make negative information tougher to Google or stumble upon, but it would not conceal it from a dogged investigator.”

While you’re Googling things, try Googling “Streisand Effect.”


April 28, 2015  1:22 PM

No Escape From the Black Hole of a Police Database

Sharon Fisher Sharon Fisher Profile: Sharon Fisher
police, privacy, Security

Remember back in elementary school? How often were you cowed into socially acceptable behavior by the threat that something would go on your permanent record?

You ain’t seen nothin’.

Increasingly, police are using technology to fight and prevent crime. Which is laudable, of course. But some of this stuff is starting to veer into Minority Report territory – you know, the 2002 Tom Cruise movie where people get arrested before they even commit the crime.

Police are using technology like social media to collect information about who people – such as gang members – might know, as well as people’s sentiments about such activities. “It is not hard to see why New York authorities are so enthusiastic about using social media in their investigations,” writes The New York World. “Unlike with a traditional wiretap, which requires a warrant, police can access public social media accounts easily — and even probe private accounts using a fake identity — with no need for a warrant.”

This information is then all put into a gang database, where it can be retrieved when needed. Once the data is stored in the database, it sits there. Forever. (Just watch a show like Blacklist or Hawaii Five-O sometime.) “For the kid listed in a gang database, it can be unclear how to get out of it,” writes Meredith Broussard in Atlantic. “In the database world, unless someone has permission to delete or amend a database record, no such change is possible. Credit agencies are required to forgive financial sins after 7 years. Police are not—at least, not consistently.” Only 12 states have policies that specifically address gang databases, only a few of them mention regular purging of information, and some specifically say that a person cannot even find out if they have a record in the database, she adds.

For example, GitHub offers six different free, open-source database applications that anyone can download and use – but none of them contains an expiration date, any regulations about purging, or any kind of guidance on ethical use, Broussard writes.

Here’s some other examples:

  • Police in Brooklyn and Harlem use social media to create a database of suspected gang members who were burglarizing stores.
  • Cincinnati police created a database to track down gang members. “Collaborating with the University of Cincinnati’sInstitute of Crime Science, the police created databases of information scraped from social networks, existing police records and phone records, then used software to analyze the data and establish links between suspects,” writes CNN.
  • Department of Motor Vehicles databases of people’s drivers license photos are being used to help identify suspects through facial recognition – not just of mugshots, but of ordinary citizens. In 2013, 37 states used ­facial-recognition technology in their driver’s-license registries, while at least 26 of those allowed state, local or federal law enforcement agencies to search — or request searches — of photo databases in an attempt to learn the identities of people considered relevant to investigations, the Washington Post
  • Some Ohio police officers were caught using police databases for personal use, to look up information about somebody – sometimes to commit crimes against them.

Moreover, some people are concerned about the constitutional aspects of these databases. Just because you know somebody, does that mean you should be considered a suspect? “Is being ‘friends’ with someone on Facebook enough to establish the links of a criminal network?” asks The New York World.

In addition, the names of minority youth are much more likely to be collected in such databases than are white youth.

“Gang databases may also interfere with an individual’s First Amendment Freedom of Association,” writes Rebecca Rader Brown in Journal of Law & Social Problems. “Since a person may be documented for affiliating with other known or suspected gang members, he may be targeted as a suspect before committing any criminal act. Using a ‘guilt by association’ standard can have the effect of sweeping entire neighborhoods into a gang database. This effect is felt disproportionately by minority populations due to geographic targeting of anti-gang efforts. In certain localities, police tend to document minorities for behaviors that, if observed among members of the majority population, are considered innocuous.”

Plus, doesn’t having someone’s name in a database called “Suspects” interfere with the presumption of innocence? “An observational study in Arizona showed that police were more aggressive with documented gang members, using excessive force more often than with individuals not documented in a gang database,” Broussard writes. “Listing a teen in a database as a gang affiliate could bias future prosecutions against them. A district attorney or cop looking for a suspect could automatically assume that the kid who’s listed in the gang database is more likely to be involved than the kid who isn’t.”

Finally, there’s just something very Big Brotherish about the prospects of such databases. “That prospect has sparked fears that the databases authorities are building could someday be used for monitoring political rallies, sporting events or even busy downtown areas,” writes the Post. “Whatever the security benefits — especially at a time when terrorism remains a serious threat — the mass accumulation of location data on individuals could chill free speech or the right to assemble, civil libertarians say.”

Steps are underway to address some of these issues, such as having people’s records or social media histories wiped after a few years, or when they become adults. It’s also being suggested that police should be better trained in some of the ethical and constitutional aspects of these databases.


April 14, 2015  5:28 PM

Incredibly Geeky Storage Case Could Decide the Future of Patent Law

Sharon Fisher Sharon Fisher Profile: Sharon Fisher
legal, Storage

Okay, granted, “It has come to the attention of Carnegie Mellon University (“CMU”) that in recent months there has been an upsurge of interest on the part of industry in correlation-sensitive adaptive sequence detectors for signal-dependent noise and their application in data storage and retrieval using magnetic media” isn’t the most gripping of beginnings. But it gets better.

That scintillating paragraph comes from a 2003 letter that CMU wrote to Marvell Semiconductor, expressing interest in licensing its patents to the company. Marvell demurred, CMU sued in 2009 and won, and Marvell appealed. Now, almost 12 years after that first letter, the two parties are getting together again, this time presenting oral arguments to the appeals court.

The patent itself is really, really technical. It’s about not just storage, but storage chips, used by companies such as Seagate, and has to do with identifying and removing “noise” that crops up with increasingly dense disk drives.  “The patented technology significantly improves the ability of detectors to more accurately detect data stored on hard disk drives,” describes CMU in its FAQ on the case. “Marvell constantly uses the CMU invention, which it called a ‘Kavcic detector,’ during the ‘sales cycle’ process that the company must follow to design, simulate, develop, test and sell more than 200 different chip models (and more than 2.34 billion individual chips) containing the infringing hard disk drive read channels.”

Now, nobody’s accusing CMU of being a patent troll here. The university legitimately came up with the invention and patented it. Organizations such as the Electronic Frontier Foundation, which make a point of filing friend-of-the-court briefs when they believe a patent is overbroad, hasn’t done so in this case; at worst, the organization believes that the award was too big. (The award was 50 cents per chip, which CMU has since said is probably what it would have charged the company as a royalty. Marvell earned an average revenue of $4.42 per chip and made an average operating profit of $2.16 for each of the more than 2 billion chips it sold, according to CMU.)

The whole thing is exacerbated because the jury found that Marvell was not just infringing, which it could have done by accident, but willfully infringing – that is, writes CMU, it was infringing “deliberately, intentionally, and with knowledge of the patent.”

Or, as some people might call it, “stealing.” CMU’s 2003 letter to Marvell was more than a year and a half after Marvell employees were referring in email to the technology, in the context of it being patented by CMU.

What difference does this make? Because willful infringement, as opposed to just regular infringement, can result in triple damages. In other words, CMU could – and did – ask for additional damages, resulting in a $287 million boosting of the award from $1.17 billion to $1.54 billion.

CMU is also concerned that Marvell, which is a public company that had more than $2 billion in cash as of 2013, is distributing that cash to its stockholders with stock buybacks and dividend payments without setting aside any money to pay the judgment. Also, Marvell is organized under the laws of Bermuda, and Bermuda and the U.S. don’t have a treaty to enforce judgments, according to Marvell’s SEC records. “It is clear that Marvell has the corporate machinery in place to efficiently (and conveniently) reduce its cash and short-term investment holdings during the time that it will take to resolve post-trial motions and any appeals in this case,” CMU writes.

Marvell’s side of it is that CMU sent out similar letters in 2003 to a total of 10 companies, and that none of them took CMU up on its offer. It also claimed prior art (which the jury denied), that CMU should have filed its lawsuit sooner than 2009 and was just waiting around to see if Marvell would be successful, and that the chips were primarily made and used outside the U.S.

In other words, the company said that the CMU technology was only used to design the chips, and that it wasn’t fair to then claim a royalty on every chip made using that design. A number of major technology companies, including Dell, Google, HP, Microsoft, and SAS signed a friend-of-the-court brief on this aspect of the case.

“Under the damages theory adopted below, any patent practiced domestically in the research and development of a product can result in a damages award reflecting every unit of that product produced and sold worldwide, including units that never entered the United States,” notes another friend-of-the-court brief, signed by law professors. “The practical effect of that damages theory is to confer a worldwide patent right, contrary both to established precedent and sound innovation policy.”

Marvell’s primary argument, however, is simply that the award is so darn big. The company noted that CMU offered to license the patent to Intel for just a flat fee of $200,000, and now is being awarded more than $1 billion. “In short, the largest extant judgment in patent history, resting on hypothetical per-unit royalties on worldwide sales, was awarded for infringement of two patents that no one has ever paid a penny in per-unit royalties to license in the commercial marketplace,” the company writes.

One legal expert, Steven Goldman, who listened to the opening arguments believes that, while Marvell will still be ruled to have infringed on the patents, the judgment will be set aside, and perhaps even a new trial called for, regarding the award aspect. (For that matter, he believed the same thing before the oral arguments.) Other legal experts seemed to feel similarly.

In any event, the result of the case will be significant, Goldman writes. “From an economic and practical view, the outcome of this appeal is of great importance for technology and other companies based in the United States who may engage in R & D in the USA but manufacture and sell their products in jurisdictions outside of the United States assuming that they are not subject to patents filed only in the United States,” he writes. “For the parties to the appeal, the outcome of the appeal is of enormous financial significance.”


April 9, 2015  8:10 AM

EMC in an Unfamiliar Role: Gay Activist

Sharon Fisher Sharon Fisher Profile: Sharon Fisher
EMC, Isilon, Pivotal

When you think of EMC, the first word that comes to mind is not typically “activist,” and particularly not “gay activist.” Nonetheless, the Hopkinton, Mass. -based storage company was among the first to leap up and express its opposition to Indiana’s recent so-called Religious Freedom Reform Act. And it put its money where its mouth was, not only pulling out of the IndyBigData conference as a sponsor but taking its subsidiaries Pivotal and Isilon with it.

The conference, to be held in Indianapolis on May 7, is intended to provide a space where data experts and vendors discuss how to turn the ever-growing amounts of stuff generated by users online into businesses, writes Business Insider.

“We had three booths there, and we’re pulling everything,” EMC President Jeremy Burton told Re/code. “I think [salesforce.com founder, chairman, and CEO Marc] Benioff deserves the credit for calling attention to this, and when I circulated info about this law to our executive team, we decided we wanted to find a way to add our voice to this.”

This and similar economic pressures from other companies, particularly in the computer industry, led the state to revise the bill to forbid residents from discriminating against people based on their orientation or gender identity in the name of religious freedom.  With those changes, EMC and Pivotal, along with a number of other technology companies, consented to return as sponsors of IndyBigData. (Amazon Web Services appears to have not as yet returned, though Oracle is again listed as a sponsor, however.)

“Now that the law has been changed, a bunch of sponsors have returned to the event. Cloudera, HortonWorks, Information Builders, Platfora, EMC, Pivotal and Isolan — firms that help enterprises store, manage and analyze data — are back,” writes Ad Age.

This is not the first time such bills have cropped up, but the response to Indiana was more vehement than against other states. Arkansas was in line to pass a similar bill but modified it after the reaction to Indiana. Arizona passed a similar bill through its legislature last year, but Republican Governor Jan Brewer vetoed it due to business backlash. Georgia’s legislature tabled a similar bill after it was amended to forbid anti-gay discrimination after concerns over a similar business response (though it’s expected to be reintroduced next year). North Carolina, home of Research Triangle Park, is still considering similar (and some say worse) legislation but it is on hold for now. Republican Michigan governor Rick Snyder has already promised to veto such legislation should it come to his desk. On the other hand, Mississippi passed such legislation a year ago with little fanfare and little anti-gay fallout thus far, and Utah passed a bill that both religious people and gays appeared to be okay with.

Part of it is simply changing times. 89 percent of Fortune 500 companies prohibit discrimination on the basis of sexual orientation and 66 percent prohibit discrimination on the basis of gender identity, compared with 61 percent and 3 percent, respectively, in 2002, according to the Human Rights Campaign Foundation’s 2015 Corporate Equality Index, writes MetroWeekly’s Justin Snow.

The interesting, and commendable, thing about EMC’s actions is that it’s not generally on the list when one thinks about activist high-tech companies. It doesn’t have a ‎Director of Product Management, Civic Innovation and Social Impact like Google does (or, er, used to). It doesn’t have a high-profile openly gay executive like Apple’s Tim Cook. And it’s not based in a gay Mecca such as San Francisco.

Not to say that EMC wasn’t criticized for its actions.

“So many of the newly energized boycotters have no problem whatsoever doing business in countries whose governments promote and even carry out mind-boggling discrimination against LGBT people,” writes Eric Convey, web editor for Boston Business Journal. “EMC derives about 28.6 percent of its revenue from a region that includes the Middle East and Africa and 13.1 percent from what’s listed as the ‘Asia Pacific’ region. EMC’s website lists a contact in Lagos, Nigeria, where execution of gay people is allowed in some circumstances.”

Similarly, Bloomberg’s Katie Benner notes that the tech companies didn’t speak up about the various racial issues going on in the U.S. for the past several months, and pointed out tech’s dismal record in promoting minorities and women.

“I’ve met scores of gay people in tech — engineers, public-relations people, designers, product heads and investors,” she writes. “But I have met exactly three black entrepreneurs and probably four black employees at tech companies and venture firms. Plenty of other social movements have received attention during the past year, including those springing from the deaths of unarmed black men at the hands of the police and the appalling stories about sexual violence on college and university campuses. Tech companies didn’t protest police brutality en masse and we didn’t see letter-writing campaigns expressing concerns about the criminal justice system. Nor did we see tech leaders pow-wow with the heads of colleges such as Stanford and Harvard, which feed students into the tech industry, to figure out how to make campuses safer for women. To the contrary, the tech industry has clumsily grappled with questions about gender discrimination — most visibly amid the high-profile sex discrimination battle between Ellen Pao and the venture firm where she used to work, Kleiner Perkins. There is a notable dearth of black and Hispanic tech employees.”

This all raises the question – is a company not allowed to take a stand against something unless it takes a stand against everything? Even if the actions are in a country outside the U.S.? Do we want a company that’s doing the right thing – even if it’s “finally” – to feel that no good deed goes unpunished? Or do we thank them, and then ask them to expand their newfound enlightenment to other areas?


March 30, 2015  5:48 PM

‘Twas the Night Before World Backup Day

Sharon Fisher Sharon Fisher Profile: Sharon Fisher
Backup

Chances are, you’ll be celebrating World Backup Day Eve tonight by assembling a NAS drive for your kids, who are snug in their beds after having left out chocolate-chip cookies and milk. Tomorrow morning they’ll come pounding down the stairs before dawn, to see what sort of backup hardware and software they find in their stockings.

You mean, you don’t Believe?

Whether or not you Believe, the day before April Fool’s Day is as good a day as any to remind yourself to make sure that your data is backed up and, more to the point, that you can retrieve it again afterwards. Like changing the batteries in your smoke detector when the time changes, it provides a useful mnemonic for one of those boring but important things to do.

A similar mnemonic this year is 3-2-1: Keep three copies, in two formats, with one copy off-site. “Step 1: This can be as simple as backing up to an external hard drive,” notes backup vendor Acronis. “Step 2: Use a different format such as cloud backup software, which can automatically backup all data to the cloud. It’s automated, so you don’t even have to do anything. Step 3: Store a backup copy in a secure, offsite location. This is where using the cloud is beneficial because it can join steps two and three together.”

Acronis also conducted a survey that found that

  • More than 75 percent of consumers store their data digitally
  • Consumers would be nearly three times more upset if they lost their photos than if they lost their phone, computer or tablet
  • More than 50 percent of consumers store their data only on their computer – or not at all
  • Of those using a data backup system, only one third are protecting their entire computer system, while the rest are simply protecting some files.
  • More than 50 percent believe their personal data are more valuable than their actual devices
  • Almost half of the respondents value their data at over $1,000
  • Only 5 percent of consumers surveyed are willing to actually spend that amount to recover their data once it is lost
  • 94 percent of respondents said they are willing to spend up to $100 to preventively backup their data.

For its part, backup vendor Verbatim notes in its survey that 25 percent of respondents said they didn’t back up their data because they were lazy. 18 percent said they didn’t know how, 12 percent said it took too long, 9 percent said it was too expensive, 6 percent said the research took too long, and 5 percent simply felt that nothing would happen to them.

Mwa-ha-ha.

First held in 2011, World Backup Day was actually spawned by a reddit discussion and is primarily intended for consumers who might otherwise lose pictures, music, and so on. (Presumably the people would also set up an automated backup from then on; backing up your data once a year isn’t going to help much.)

The World Backup Day website also offers a variety of statistics on backups, though some of them date back to as far as 2001. People are also asked to pledge to back up their data and encourage their friends to do so; thus far, 2816 people have pledged, which is an improvement over last year’s 1800, especially since it’s not even The Day yet.

These days, World Backup Day is mostly an occasion for backup vendors – primarily services, rather than hardware and software – to promote their services and to offer sales. So if you’ve been looking into one of these services, now might be the time to do it.

Here’s some of them:

  • Carbonite has bonuses for its resellers, as well as a contest for users.
  • CloudBerry Lab is selling its Cloudberry Box service for half price through April 2.
  • Datto is offering 10% off a new, one year contract for 25+ users for its Backupify service if purchased beforeWorld Backup Day comes to a close on March 31, 2015.
  • RossBackup is giving away basketball tickets to new customers.

You can also order T-shirts, fridge magnets, or posters.

Meanwhile, tonight you can listen for the sound of little hard drives on the roof.


March 27, 2015  3:27 AM

Using USB Drives as a Tool to Liberate North Koreans

Sharon Fisher Sharon Fisher Profile: Sharon Fisher

In the 1940s, during World War II, Japan attacked North America using paper balloons filled with hydrogen and carrying a payload of incendiary and anti-personnel bombs. The balloons were supposed to float across the Pacific Ocean using air currents and then set fire to the forests of the Northwest, as well as injure people upon landing. As it happens, the only casualties were a pregnant woman and five children in Oregon who found one of the things in 1945, but remnants of the devices are still being found even today.

This being more civilized times, these days people are attacking culturally, with American television and movies.

“We’re here to hack the North Korean government’s monopoly of information above the 38th parallel on the Korean peninsula,” wrote Thor Halvorssen and Alexander Lloyd in the Atlantic last year. “The embargo of information into and out of the country has forced human rights groups to be creative in their methods of reaching North Korean citizens.”

The particular group they were working with was called Fighters for a Free North Korea, led by Park Sang-hak, a defector and son of a former North Korean spy. The group sent a series of balloons – 20-foot long “transparent, cylindrical tubes covered in colorful Korean script,” each of which carried three large bundles wrapped in plastic containing “DVDs, USBs, transistor radios, and tens of thousands of leaflets printed with information about the world outside North Korea,” the Atlantic writes.

And what is stored on those USBs that is such a threat to the North Korean government? Not malware, but simple popular culture from outside the country. “Shows such as Desperate Housewives and The Mentalist, and films like Bad Boys, all of which defectors tell us are very popular in the North, provide a wildly different alternative to their daily lives,” explains the Atlantic. (Friends is reportedly also popular.)

The up to 1,500 USB drives also contained copies of a Korean language version of Wikipedia, reported Business Insider. “USB keys are one of the most powerful tools, because they’re small, can be hidden and shared easily, and carry massive amounts of data,” Halvorssen said. USBs are also easier to hide than DVDs or other storage methods, and can even be swallowed, note other dissidents.

Park’s group is not the only one. The PBS news program Frontline interviewed a different group that is working to overthrow North Korea using thumb drives.  “The men prefer watching action films. Men love their action films. I sent them Skyfall recently,” defector Jeong Kwang-Il said on the show. “The women enjoy watching soap operas and dramas. They like that kind of film. Now they’re sharing thumb drives a lot. Even officials have one or two. North Korea is trying to hunt them down because the thing that changes people’s mindsets is popular culture. It probably has the most important role in bringing about democracy in North Korea.”

So seriously does the country take this that some North Koreans have reportedly been executed for watching foreign television, Frontline reported.

This week, Park had planned another balloon drop with 10,000 copies of the movie The Interview, which as you may recall created an international incident in December when Sony at first dropped plans to release the movie after North Korean threats. However, the organization announced on Monday that it was delaying or scrapping the plan, and in fact was suspending the entire balloon program out of concerns about retaliation from North Korea.

While we talk a lot about the potential hazards of USB drives, they have a power as well.


March 17, 2015  11:24 PM

Now USB Drives Can Set Your Computer On Fire

Sharon Fisher Sharon Fisher Profile: Sharon Fisher
Security, Thumb drive, USB

We keep telling you and telling you: Don’t plug strange USBs into your computer! You don’t know where it’s been! Now, it could kill your computer.

It’s tough, because some things are so enticing. Even government workers, who should really know better, have a bad habit of picking up stray USBs just to see what they’d do. And there’s other ways to propagate USB drives than scattering them in a parking lot.

Take dead drops, which we wrote about a couple of years back and are making the rounds again. It’s a USB drive literally cemented into a wall or curb that you can plug into your laptop, and exchange data, whether it’s an art installation or seekrit messages. Since the initial ones in 2010, there are now 1,500 dead drops around the world, with nearly 10 terabytes of combined storage, according to Alex Hern in The Guardian. “There are dead drops on every continent in the world except Antarctica, as far north as eastern Iceland and as far south as Wellington, New Zealand,” he writes, with the most recent being added in Hong Kong, Baden Württemberg in Germany and Xining, a city in western China.

“When cemented into place, each drive is empty except for a file explaining the group’s manifesto: ‘A Dead Drop is a naked piece of passively powered Universal Serial Bus technology embedded into the city, the only true public space,’” Hern writes. “But after a while, anything from photos to videos can be uploaded by anyone – which has led to some problems.” Examples include plans for a bomb, guides to producing crystal meth, and recipes for various deadly poisons, he describes.

Or, hypothetically, a virus or other malware, which is the problem with picking up unidentified USBs and plugging them into your computer to see what they do. (That’s probably how the International Space Station got a virus on it.)

We’ve also heard about USB drives with malware in the microcode, so the USB device can pretend to be something it isn’t and steal data – not to mention be almost impossible to remove.

But now poking a USB drive into your laptop won’t just give it a virus, it could literally destroy it. That’s because a Russian computer person nicknamed “Dark Purple,” just for grins, decided to design something in a USB drive form factor that could zap whatever laptop it was plugged into, according to the description on a Russian website (including pictures). Basically, it consists of lots and lots of capacitors to store energy, and send back out through the USB port, but which looks just like a regular USB drive.

“The basic idea of the USB drive is quite simple,” describes an English translation of the Russian website. “When we connect it up to the USB port, an inverting DC/DC converter runs and charges capacitors to -110V. When the voltage is reached, the DC/DC is switched off. At the same time, the filed transistor opens. It is used to apply the -110V to signal lines of the USB interface. When the voltage on capacitors increases to -7V, the transistor closes and the DC/DC starts. The loop runs till everything possible is broken down.”

Hacker News goes so far as to claim that with it, a laptop could be turned into a bomb, or at least set on fire.

The website didn’t include any imagery of the device in action, but it’s certainly a heads-up that such a device might be out there.


March 9, 2015  9:38 PM

How Serious a Problem is Hillary Clinton’s Private E-mail System?

Sharon Fisher Sharon Fisher Profile: Sharon Fisher
Email, privacy, Security

We’ve written before about the notion of Politicians Behaving Badly by using personal email systems while they served in office. Now former Secretary of State Hillary Clinton is under fire.

The New York Times broke the story on March 2, noting that in her time in office, Clinton used the email account hdr22@clintonemail.com and, in fact, had never had an official .gov email account. Later stories ascertained that the email system in question, which ran Microsoft Outlook, lived on a server in her house in Chappaqua, N.Y.

There’ve been two major challenges in the reporting of this story. First, Clinton is a polarizing figure in politics, and it can be difficult to separate out fact from partisan issues. Second, the mass media members are not technical experts, and some of the articles have been, to put it kindly, lacking in technical details, as David Gewitz so ably points out. The AP article on her server, for example, called it “homebrew,” as though she’d put it together in the basement with spare parts from Radio Shack, while Fox News and Bloomberg hired hackers to scour the Internet for references to other email accounts from that server and to look for security holes in her system, respectively.

Politicians ranging from Alaska Gov. Sarah Palin to the entire state of California have come under criticism for using personal email systems. What are the issues? The email isn’t secure. The system can be hacked. The owner of the system, if it’s a public mail service, has access to the government official’s email. The email messages might not be accessible to public records requests and legal issues.

Another major issue is concern that the government official can more easily delete potentially embarrassing email messages, either on purpose or on accident. This has been an issue with a number of government officials, ranging from President George W. Bush to Arkansas Governor Mike Huckabee to Massachusetts Governor Mitt Romney to Lois Lerner of the IRS. (Incidentally, they found her missing email. Right where it was supposed to be. Hmm.)

Clinton’s situation, however, is somewhat different. First of all, she wasn’t using personal email some of the time for certain issues; she used the personal email system all the time. Which raises the question: Why didn’t anybody talk about it before now? President Barack Obama reportedly said he didn’t know about this until he saw news reports. Really? He and his Secretary of State never exchanged email, or if they did, he never noticed her email address?

(Actually, Clinton’s personal email address had been known about for at least two years; it just didn’t get the attention it’s getting now.)

Second, the Secretary of State’s office has apparently not traditionally had an email system per se. Noting that only four Secretaries of State have been in office in the email era, the State Department asked them to send in copies of any email records they had from private email systems. Two, Madeline Albright and Condoleeza Rice, said they didn’t use email.

Apparently this isn’t unusual in government; South Carolina Senator Lindsey Graham – who, incidentally, serves on the subcommittee on privacy, technology, and the law – says he’s never sent an email message.

Meanwhile, Colin Powell, Secretary of State under President George W. Bush until 2005, said he used a personal email account because the State Department system was “antiquated.” But it’s only since 2014 that rules about private email accounts for federal government business were implemented, which is why current Secretary of State John Kerry uses one.

Third, the State Department system was vulnerable to hacking. In fact, despite some security weaknesses such as a default encryption certificate, it may have been stronger than the official system, notes Clay Johnson, former director of the Sunlight Labs for the Sunlight Foundation (and others). “That personal email was probably far more secure than her state.gov email account,” he writes. The State Department’s email system has been compromised for months.

For example, the State Department doesn’t have a number of common security measures, such as malware detection for remote email, encryption, digital signatures, or two-factor personal identity verification cards, reports NextGov. And the “homebrew” system would likely have been more secure than a public system such as Gmail or Yahoo!, writes Slate.

But didn’t Clinton violate the law by not using the government email system? “There was no such ironclad rule when Clinton became Secretary of State,” writes Joe Conason in National Memo. “The former Secretary of State doesn’t appear to have breached security or violated any federal recordkeeping statutes, although those laws were tightened both before and after she left office. She didn’t use her personal email for classified materials, according to the State Department.”

“Federal regulations don’t outright ban the use of personal accounts,” confirms NextGov.

Regardless, Clinton’s actions have come under criticism, such as from Gov. Scott Walker of Wisconsin. “How can she ensure that that information wasn’t compromised?” he told The Weekly Standard, after an event with supporters in Des Moines. “I think that’s the bigger issue—is the audacity to think that someone would put their personal interest above classified, confidential, highly sensitive information that’s not only important to her but to the United States of America.”

This, of course, is the same Gov. Walker whose staff set up a private email system within his own County Executive office when he was running for Governor. But that was different, Walker argues, though The Weekly Standard didn’t explain how.

Clinton was also criticized by former Florida Gov. Jeb Bush. “For security purposes, you need to be behind a firewall that recognizes the world for what it is and it’s a dangerous world and security would mean that you couldn’t have a private server,” he told Radio Iowa. “It’s a little baffling, to be honest with you, that didn’t come up in Secretary Clinton’s thought process.”

This, of course, is the same Gov. Bush who also used a private email system and address, on a server that he owned, when he was Governor of Florida. But that was different, some argue, because people knew that he was using that email address.

Clinton is also being criticized by Utah Rep. Jason Chaffetz, chair of House Oversight and Government Reform Committee, which is going to investigate the situation. ABC News, however, points out that Rep. Chaffetz’ own business card lists a Gmail address. The list of Clinton detractors who also use private email goes on.

Whether people see this as the death blow to Clinton’s candidacy or something to mock, as Saturday Night Live did, we should have our chance to judge for ourselves before long; Clinton has called on the State Department to release her 55,000 pages of email messages to the public.


Forgot Password

No problem! Submit your e-mail address below. We'll send you an e-mail containing your password.

Your password has been sent to: