Yottabytes: Storage and Disaster Recovery

August 29, 2017  12:41 PM

Nerd Out on Backblaze Hard Drive Statistics

Sharon Fisher Sharon Fisher Profile: Sharon Fisher
Backblaze, hard drive, Storage

Periodically, I like to pass on what Backblaze is reporting about the hard drives that make up its cloud backup service. This is for two reasons. First, Backblaze uses a truly massive number of hard drives, and so they come up with a lot of statistically significant results. Second, the company is absolutely nerdy about big data and hard drive statistics, and does quarterly and annual reports on its experiences that are a great example of how a company could do this sort of report about any hardware it happened to have.

Backblaze just came out with its second quarter report, but because I haven’t written about its individual hard drive statistics for more than a year, I’ll also catch you up on the last couple of quarters as well.

The company is now up to 83,151 hard drives altogether. In the first quarter, it added more than 10,000 hard drives in total, and in the second quarter, it added 635 new hard drives in total – some due to failure but many of them due to migrating to larger, higher density (as well as newer) hard drives. For example, Backblaze has been migrating its 3 TB hard drives to 8 TB  — which, the company said, more than doubles its storage capacity in the same footprint while only increasing its electrical use a little bit.

In addition to upgrading the hard drives themselves, Backblaze is also creating much larger collections of hard drives. Instead of using its “pods” of 45 hard drives, the company has been using “vaults” made up of up to 20 even bigger “pods,” each of which hold up to 60 hard drives. With the increased size of hard drives it’s now using, each “vault” can now store up to 14.4 petabytes of data.

Another interesting thing that Backblaze has been doing lately is testing enterprise-grade hard drives. As you may recall, the company became well known for building its storage system with commodity consumer hard drives rather than the monolithic gigantic storage devices made by companies such as EMC. That was cheaper, especially when it became time to upgrade, and was more granular. But the company has been criticized over the years for using consumer hard drives rather than enterprise hard drives, which some people (including the vendors whose hard drives weren’t very reliable in the Backblaze setup) said would be better suited for the way Backblaze used its drives.

So Backblaze has been testing enterprise hard drives, and surprisingly found that they were actually more prone to failure than consumer ones, as well as generally being more expensive. On the other hand, the company apparently found a batch of Seagate 8 TB enterprise hard drives on sale, and at that price they were worth getting, so the company is using some of them. While they are still showing a slightly higher failure rate, the company cautions us not to jump to conclusions, indicating that it might simply be burn-in failures because of how new they are (which the company calls the “bathtub curve”).

“The enterprise drives have 363,282 drives hours and an annualized failure rate of 1.61%,” writes Andy Klein, director of product marketing for Backblaze. “If we look back at our data, we find that as of Q3 2016, the 8 TB consumer drives had 422,263 drive hours with an annualized failure rate of 1.60%. That means that when both drive models had a similar number of drive hours, they had nearly the same annualized failure rate.”

In other developments, it may surprise you, but Backblaze doesn’t always leap to a new, more dense hard drive model as soon as it comes out; since it’s using a commodity model, it waits until the cost per megabyte for the more dense models is equivalent to that of the less dense models it’s already using, and then tests them. Consequently, the company is just now starting to test 12 TB hard drives. “In the next week or so, we’ll be installing 12 TB hard drives in a Backblaze Vault,” Klein writes. “Each 60-drive Storage Pod in the Vault would have 720 TB of storage available and a 20-pod Backblaze Vault would have 14.4 petabytes of raw storage.”

As it is, Backblaze spends 23 percent of its revenue on hardware, 90 percent of which is devoted to pods and vaults. The rest of the 47 percent of revenue devoted to costs includes space for the hard drives, electricity to run them and keep them cool, personnel to keep them happy and functioning, bandwidth to transfer data, and so on. The company’s remaining 53 percent of revenue is devoted to the operational expenses of keeping it running, such as developing new features, marketing, sales, office rent, and other administrative costs.

As always, the company releases an Excel spreadsheet with its data, as well as the entire datasets themselves, so you can geek out on hard drive data to your heart’s content.

Disclaimer: I am a Backblaze customer.

August 25, 2017  10:54 PM

Yet Another Installment of the Spokeo Case

Sharon Fisher Sharon Fisher Profile: Sharon Fisher
Data, law, legal

In the criminal justice system, cases sometimes rise and fall based on incredible arcane and trivial bits of the law.


Such is the case with Spokeo. As you may recall, it all has to do with Spokeo, a data aggregator, getting some data wrong, and the guy in question, Thomas Robins, suing them for it. The importance of the case was less a matter of the effect on the particular guy, and more a matter of what legal precedent would be set, based on court rulings. Hypothetically, it could have meant that people would be able to sue based on simple errors of procedure that happened to violate a law. That would have made the lawyers happy, but not many other people.

The Spokeo case went all the way to the Supreme Court, which ruled in May that the Ninth Circuit Court hadn’t done the job right in the first place and sent it back to them for a do-over. And apparently the Ninth Circuit wanted to be very thorough this time, because it took them more than a year to essentially cut-and-paste from the Supreme Court’s ruling.

Specifically, the Court directed the Ninth to determine two things about the case:

  • Whether it was particular. “There was no dispute that Robins had satisfied the particularity requirement of injury in fact,” writes James McKenna of Jackson Lewis, in National Law Review. “The injury he alleged was based on the violation of his own statutory rights and was due to the inaccurate information about him.”
  • Whether it was concrete. “A concrete injury must be ‘real’ and not ‘abstract,’” McKenna writes. “There are three aspects of concreteness. First, it is not synonymous with being tangible. A concrete injury need not be tangible. Intangible injuries, such as the abridgment of free speech rights, can be concrete.” Second, while Congress implementing a law is important, just because a law provides the right to sue doesn’t mean they can, he writes. “Third, the risk of real harm’ can constitute a concrete injury, even if the harm may be difficult to prove or measure,” he adds.

Where the Ninth had erred, the Supreme Court ruled, was by not considering those two points separately in the first place, especially the concreteness one.

To a certain extent, this seems like failing the calculus test because, even though you got the right answer, you didn’t show your work. But for attorneys, it’s all about showing your work and crossing all the Ts and dotting all the Is.

So, the Ninth Circuit came back earlier this month to say, yes, it was, too, concrete. “The Ninth Circuit looked to whether the FCRA [Fair Credit Reporting Act] was established to protect consumers’ concrete interests (as opposed to their purely procedural rights),” write Hanley Chew and Eric Ball in Mondaq. The Ninth Circuit went on to point out that both the Supreme Court and Congress have indicated in the past that having incorrect data in a database is a Bad Thing, going on to quote the Ninth Circuit ruling. “’The relevant point is that Congress has chosen to protect against a harm that is at least closely similar in kind to others that have traditionally served as the basis for lawsuit.’ Thus, informed by both Congress and historical practice, the Ninth Circuit held that Congress enacted the FCRA to protect consumers’ concrete interest in accurate credit reporting,” they continue.

Did that settle the case and Robins gets what he wants? No! It simply rules that he has standing, meaning it kicks the can back down the road to the District Court, and he can proceed with his case. “The District Court for the Central District of California originally dismissed the case, holding Robins failed to allege any injury-in-fact and, therefore, did not have Article III standing,” explains David Anthony in InsideARM. “The Ninth Circuit reversed, holding the alleged violation of Robins’ statutory rights alone was sufficient to satisfy Article III’s requirements, regardless of whether the plaintiff can show a separate actual injury.”

Keep in mind that Robins is suing Spokeo not for making him sound worse, but for making him sound better. “The report erroneously said Robins was married with children and that he was older, better educated, wealthier and more accomplished than he actually was,” write three attorneys from Sidney Austin LLP in Mondaq.

Those scoundrels.

The Ninth Circuit also took pains in its ruling to say that, just because the data was wrong in Robins’ case, didn’t mean that everybody who finds an error in their personal information in a database gets to sue. “The Ninth Circuit emphasized the case-specific nature of its hybrid approach, ‘caution[ing] that [its] conclusion on Robins’s allegations does not mean that every inaccuracy in these categories of information (age, marital status, economic standing, etc.) will necessarily establish concrete injury under FCRA,’” write four attorneys from K&L Gates in the National Law Review. “This is because “[t]here may be times that a violation leads to a seemingly trivial inaccuracy in such information (for example, misreporting a person’s age by a day or a person’s wealth by a dollar).”

And that’s the good news for Spokeo, and every other company that collects data on people: Having to determine just how much and what sort of bad data is acceptable – the data equivalent of the allowed number of insect parts in a jar of peanut butter – will make it harder for people to file class-action suits against data aggregators, the company told Perry Cooper of Class Action Litigation Report.

Even without the Ninth Circuit’s do-over, numerous – on the order of three a dayrulings are now referencing the Spokeo case. The problem now is that even after the Ninth Circuit decision, some questions still remain — which means this case could go back to the Supreme Court again. “The Ninth Circuit did not provide broad guidance about whether and under what circumstances a single inaccuracy in a credit report, a certain type of inaccuracy or another combination of inaccuracies would be sufficient to constitute a concrete injury,” write the Sidney Austin attorneys. “The court made clear that de minimis violations may not confer standing, but other than holding that Robins’s alleged facts were enough to confer standing, it did not provide clear guidance on where the line falls between sufficient and insufficient injuries.”


August 16, 2017  11:36 PM

Dreamhost Fights DoJ Inauguration Warrants — All 1.3 Million

Sharon Fisher Sharon Fisher Profile: Sharon Fisher
government, privacy, Security

As you may recall, in February we covered the question of how many search warrants the government could legally expect to serve on Facebook at once, given that the company felt that the 381 it had received was too many.

“For example, could the government get a warrant for everyone who posted on Facebook that they had attended the Women’s March so it could arrest them or put them in some sort of database?” we asked presciently.

Little did we know.

As it turns out, the Department of Justice is asking the web hosting company Dreamhost to provide information about every visitor to a particular website, www.disruptj20.org, which was intended to help organize protests at the inauguration of President Donald Trump. Some 230 people, including six journalists, were arrested. (“J20” referred to January 20, the date of the inauguration.) But the DoJ is asking for information on all 1.3 million visitors to the website.

And it is asking for a lot of information: “names, addresses, telephone numbers and other identifiers, e-mail addresses, business information, the length of service (including start date), means and source of payment for services (including any credit card or bank account number), and information about any domain name registration,” as well as the content each person viewed.

In other words, even if you simply visited the website once, didn’t post any information, and didn’t attend any protests, the government would now have your information. Incidentally, disruptj20 did not keep logs of this data itself, but Dreamhost did, according to NPR.

So, just by virtue of researching this story, I’m now on this list. Twice.

“No plausible explanation exists for a search warrant of this breadth, other than to cast a digital dragnet as broadly as possible,” writes Mark Rumold of the Electronic Frontier Foundation, which is helping Dreamhost with its defense. “But the Fourth Amendment was designed to prohibit fishing expeditions like this. Those concerns are especially relevant here, where DOJ is investigating a website that served as a hub for the planning and exercise of First Amendment-protected activities.” The organization is also helping Facebook fight a similar request for information, but doesn’t even know whether it’s also about the inauguration, because of a gag order.

Dreamhost, which spilled the beans on all this on August 14 , is fighting the warrant on First and Fourth Amendment grounds, saying it is “overbroad.”

You think?

A hearing is scheduled for Friday.

Interestingly, the DoJ sent out its warrant on July 12. For an event on January 20? It doesn’t necessarily mean that the DoJ attorneys are slow, though they have been fighting with Dreamhost about this data since a week after the inauguration. The Electronic Communications Privacy Act Stored Communications Act changes the rules at 180 days. “Under the ECPA, emails on a server for more than 180 days is considered ‘abandoned’ by users and can be accessed through a subpoena instead of a search warrant,” explains Ryan Reilly in the Huffington Post. To what degree that is actually a factor here is hard to tell, because many of the outlets reporting on this aren’t technical enough to say. But it’s interesting timing.

The DoJ made its initial request, a subpoena and an order to preserve records, on January 27. However, Dreamhost, perhaps disingenuously, didn’t understand what the government was actually asking for. “Within three weeks of service of the subpoena, DreamHost produced its records responsive to these categories,” the company writes. “In its correspondence accompanying the production, DreamHost’s General Counsel made clear that he understood the subpoena was directed to records regarding the registrant, and not records regarding third party visitors to the website.”

Dreamhost also points out in its response that the request is more like a subpoena than a search warrant, because “it requires DreamHost itself to execute the warrant and provide the responsive records to the government.” The company also notes that the information the government is asking for is really more like evidence of a violation than a violation itself, despite how the warrant is worded.

It also isn’t clear exactly what the DoJ is trying to find out, or if it’s simply going on a fishing expedition, because that part of the warrant is sealed. But assuming it gets away with this request, it is making its requests for Microsoft data overseas look like child’s play. If companies can be forced to provide this much data about every single visitor to its customers’ websites, no matter how innocent, this could have a seriously chilling effect on, well, everything.

July 31, 2017  9:03 PM

E-Discovery Data Breach is a Lesson for All of Us

Sharon Fisher Sharon Fisher Profile: Sharon Fisher
E-discovery, Security

Be careful with e-discovery: You might discover something you didn’t intend.

That’s what one attorney recently learned when collecting data for a legal case. “The 1.4 gigabytes of files that Wells Fargo’s lawyer sent included copious spreadsheets with customers’ names and Social Security numbers, paired with financial details like the size of their investment portfolios and the fees the bank charged them,” write Serge Kovaleski and Stacy Cowley in the New York Times – data from some 50,000 customers altogether.

Typically, such personally identifiable information is redacted, or removed, from e-discovery data sent to the opposing counsel, Kovaleski and Cowley explain.

Initially, the attorney blamed the software vendor (of course), which wasn’t named but appeared to include both software and service. But as it turns out, the attorney hadn’t realized how much data the e-discovery request had obtained, writes Christine Simmons in Law.com. Using the software, the attorney reviewed “what I thought was the complete search results” and marked some documents as privileged and confidential, and then coordinated with the vendor to withhold from production anything she tagged as privileged and confidential, Simmons writes.

“What I did not realize was that there were documents that I had not reviewed,” the attorney tells Simmons, adding that her view showed only a set limit of documents at one time. There also appeared to be some confusion about who actually performed the redacting of the documents, and whether any of the data was redacted, according to court documents (which are a thing of beauty, and you really should read them to get the full effect).

Moreover, the files were handed over to opposing counsel with no protective orders and no written confidentiality agreement in place. Consequently, it would be perfectly legal for counsel “to release most of the material or include it in their legal filings, which would then become part of the public record,” Kovaleski and Cowley write.

And it didn’t end there. Because Wells Fargo had released the personally identifiable information, it then became a data breach and was subject to all the laws governing data breaches. Sending the data without redactions or confidentiality agreements violates “various privacy protection laws, Financial Industry Regulatory Authority Inc. guidance and U.S. Securities and Exchange Commission regulations, according to opposing counsel in court documents,” she writes. The attorney who had sent the files to the other attorney asked that the data be returned, but at that point it became evidence in the data breach case.

Wells Fargo and its attorney have been using various legal maneuvers to get the opposing counsel to return the data, as well as destroy any copies it had made of it, Simmons writes. The attorney also noted, however, that the CD was encrypted, and that she’d written “Confidential” on the envelope. Thank goodness.

Regardless, Wells now needs to follow standard data breach protocols, such as notifying the customers that their data has been improperly released, Kovaleski and Cowley write. “And some of the accounts are listed as having a foreign owner, which would potentially trigger a separate set of overseas regulations, such as Europe’s stricter privacy statutes,” they add.

Such data breaches could happen more often as e-discovery becomes more common and more voluminous, Simmons warns.

July 31, 2017  6:38 PM

IBM Mainframe Encryption Apparently Okay

Sharon Fisher Sharon Fisher Profile: Sharon Fisher
Apple, Encryption, Google, government, IBM, privacy, Security

When Apple and Google released cellphones with encryption being the default, law enforcement had kittens, with dire warnings about terrorism and child pornography if there wasn’t a back door into it. And governments all over the world, including the U.S., have insisted that data shouldn’t be encrypted unless a back door was available, in case evil people were hiding evidence of their nefarious deeds.

But so far, law enforcement hasn’t complained about IBM’s new Mainframe Z, announced earlier this month. “IBM has launched a new mainframe system capable of running more than 12 billion encrypted transactions per day, in a bid to wade further into the financial cybersecurity market,” writes Ryan Browne for CNBC. “IBM claimed that its new mainframe can encrypt data at a rate 18 times faster than other platforms. The mainframe will be used initially as an encryption engine for IBM’s cloud computing technology and blockchain (distributed ledger technology) services.”

IBM didn’t say when the system would be available, though it said the technology was already in use at six of its own blockchain service centers, and at least one article indicated that the system was would be available in mid-September. The company already supports 87 percent of all credit card transactions, totaling nearly $8 trillion worth of payments each year, Browne writes.  The system is intended to “enable companies to comply with new data protection laws, such as the European Union’s General Data Protection Regulation (GDPR) and the U.S.’s Federal Financial Institutions Examination Council (FFIEC) guidance on the use of encryption in the financial services industry,” he adds. “The GDPR holds that businesses should encrypt personal data to prevent a compromise of confidentiality, while the FFIEC’s guidance states that management should ‘implement the type and level of encryption commensurate with the sensitivity of the information.’”

But by announcing the system, IBM is also drawing a line in the sand and siding with Apple, writes Brian Fung in the Washington Post. “IBM fully supports the need for governments to protect their citizens from evolving threats,” he reports the company said in a statement on the issue. “Weakening encryption technology, however, is not the answer. Encryption is simply too prevalent and necessary in modern society.”

Maybe law enforcement thinks that hackers and terrorists can’t afford mainframes like this one, which according to Fung is supposed to cost $500,000 a pop? But companies like Microsoft can, and the U.S. government has been fighting with Microsoft for several years to gain access to data that it stores overseas. What if Microsoft said fine, here’s the data – but it’s encrypted, so good luck?

Indeed, with some governments wanting to outlaw encryption altogether, is IBM going to be allowed to sell the equipment in those countries? Will people in those countries be allowed to use it? Is IBM releasing the system in hopes that it will be grandfathered in should countries implement anti-encryption laws?

Experts also point out that IBM statements about the encrypted data being more safe from hackers isn’t necessarily true. Commenters to the Washington Post article noted that only the data at rest would be encrypted, while data within an application would still be decrypted and vulnerable. In addition, hackers don’t have to be able to read data to wreak havoc, noted another. “I do not need to know what is in your data for a ‘WannaCry’ attack to work,” writes JoeFromBoston. “Even if YOU have encrypted your data, if I encrypt your encrypted data a second time, you are still in big trouble.”

So far, no comment from the FBI or other law enforcement organizations.

July 22, 2017  10:22 AM

Supremes to Decide Cellphone Location Data Case

Sharon Fisher Sharon Fisher Profile: Sharon Fisher
privacy, Security, smartphone

The laws governing search and seizure of data on a person’s cellphone continue to evolve – and next fall, they’re likely to evolve some more, as a critical case goes to the Supreme Court. At the heart of the case is the distinction between content and metadata.

Let’s say you send someone an email message. The body of the message is the content. But all the information about the message – to whom you sent it, when you sent it, where you were when you sent it, and so on – is metadata, or data about the message. In a number of cases, courts, prosecutors, and law enforcement have made the distinction between the two, saying that while a search warrant is required to see the content, the metadata is fair game.

Now, one of those issues – in particular, the location data of your cellphone – is actually going to be argued in front of the Supreme Court, which is likely to settle the issue once and for all.

It’s all due to a case called Carpenter. Two guys in Detroit were accused of robbery, and the Federal Bureau of Investigation (FBI) used their cellphones to prove that they were nearby a number of the incidents. To do this, the FBI went to the suspects’ cellphone providers and obtained a lot of data about the suspects’ locations – more than 12,000 for one guy, and almost 24,000 for the other guy. The defense attorneys for the guys are saying that the phones revealed so much personal data about the guys that a warrant should have been required for the search.

Moreover, these two guys aren’t the only ones who had their phones searched for location data; according to providers such as AT&T, this happens thousands of times a year.

You might think, “Wait. Didn’t the Supreme Court decide this already?” Well, sort of. In June, 2014, in a case known as Riley, the Supreme Court ruled that  law enforcement officials needed a warrant to search someone’s cell phone. However, this case is different, because Riley covered searching the content of a cellphone, while Carpenter covers searching the metadata.

A number of organizations – including such odd bedfellows as the American Civil Liberties Union (ACLU), the Electronic Frontier Foundation, and the conservative Cato Institute — have filed friend-of-the-court briefs hoping to protect metadata, saying that giving law enforcement access to a person’s location files amounts to unlawful search and that a warrant should be involved.

“The Fourth Amendment was designed precisely to protect the kinds of intimate details that police seized without a warrant in Carpenter,” writes the ACLU. “For example, an analysis of Carpenter’s whereabouts suggests that he slept away from home on December 22, 2010, in what appears to be an aberration. The location data also shows that in the early afternoon on a number of Sundays, Carpenter made or received calls from the cell tower sectors nearest to his church. His cell phone records do not routinely show him in that area on other days of the week, implying that he was worshipping at those times. Together, the data reveals a granular accounting of Carpenter’s locations and movements over the four-month period.”

“Although the case is formally about cell-site records, it’s really about where to draw lines in terms of what network surveillance triggers the Fourth Amendment and how the Fourth Amendment applies,” argues Orin Kerr of the Volokh Conspiracy, in the Washington Post. “The justices can’t answer how the Fourth Amendment applies to cell-site records without providing a framework for how the Fourth Amendment applies to many other forms of surveillance, such as visual surveillance, obtaining traditional phone records, obtaining e-mail transactional records, obtaining credit card records and the like.”

Not everyone agrees. “Carpenter v. United States is part of the ACLU’s campaign to hobble police and shield wrongdoers — both terrorists and common criminals — from the latest technologies available to law enforcement,” writes Betsy McCaughey in the New York Post, while muttering darkly about terrorists. “But how else could agents find out whether he was near the robbed stores?” (Fortunately, “but law enforcement didn’t have any other way to get the information” isn’t typically an acceptable excuse for violating the Constitution.) There is also some concern that such a ruling could limit the use of location data by marketers.

A particular nuance in this case is the notion of third-party doctrine, Kerr explains. In other words, law enforcement didn’t get the metadata directly from the suspects’ cellphones, but from a third party – their service providers. Third-party records require only “reasonable suspicion” that a person was involved in a crime, not “probable cause,” which requires a warrant, writes Peter Henning in the New York Times.

What’s important about this case is it will determine whether metadata from a third party will also require a search warrant, Kerr explains. For example, the third-party doctrine is frequently cited by the government in support of the legality of NSA collection of metadata, writes Emma Kohse in the Lawfare blog.

Another nuance is that the Supreme Court has already ruled that collection of data from a GPS tracker required a warrant, but law enforcement has argued that the cellphone tower location data obtained in Carpenter was less specific than the data from a GPS tracker, so it didn’t require the same level of protection, Henning adds.

In the meantime, there’s not much you can do to avoid this other than turning off your phone. Moreover, this isn’t even data collection that you can stop by turning off or deleting location tracking, because it’s the cell tower data collected by your provider. So it will be interesting to see how the Supreme Court – with its newly appointed justice Neil Gorsuch – will rule.

July 13, 2017  9:06 PM

Beware! USB Web Key In the Mail

Sharon Fisher Sharon Fisher Profile: Sharon Fisher
Security, Storage, USB

You’ve heard about phishing. Now we’ve got one with actual bait: a mailed USB card called a web key.

As one techie describes it, “Here is the prototype for the next big wave of security breaches.”

According to TJ Gamble, founder and CEO of ecommerce company jamerson.com, Blue Cross/Blue Shield is sending out letters that include something like a business card or a credit card with a built-in USB drive. The letter urges recipients to insert the device into their computers to find out all the wonderful things that Blue Cross could do for them.

Gamble Tweeted a picture of one of the letters, showing the USB drive, known as a “web key.” He also put together a YouTube video going into more detail.

In a LinkedIn post elaborating on the Tweet, and in his video, Gamble hastened to clarify that he wasn’t accusing Blue Cross of anything nefarious. “I am not accusing BCBS of creating software that is less than aboveboard,” he writes. “However, now someone wanting to exploit your computer can copy this concept and just start randomly mailing these out to companies hoping that they will insert it into their computer and run their nefarious software. The fact that BCBS appears to have officially sent these out increases the likelihood that someone will trust the next wave of them whether they are official or forged.”

In other words, it would be like phishing – except instead of getting email from what appears to be Google or Facebook, you’re getting actual physical mail from what appears to be a trusted source like Blue Cross. Instead, it could have a potentially nasty payload that could install malware, steal your data, reprogram your device, destroy your laptop, or set it on fire. Moreover, the mailing apparently targeted human resources professionals, who might not know about the security risks involved, Gamble notes.

On the other hand, if someone gets caught sending them out, it’s presumably mail fraud, a Federal crime. And due to this risk, as well as the cost of producing the devices in the first place – 50 cents to a dollar each, he estimates — Gamble writes that he wouldn’t expect to see the general public start receiving these. “However, it definitely provides some ideas for going after high-value targets,” he warns – a variation known as “spear phishing.”

Blue Cross defenders commenting on Gamble’s piece point out that the company is hardly the first to use such Web key devices, linking to a Pinterest board of examples. (For what it’s worth, I’ve never seen the things before.) On the other hand, commenters also noted that malware or other payloads could be inserted anywhere along the supply chain for the devices, including where they were built, and in any event it was dangerous to train users to start inserting these devices.

In any event, the advice remains the same: Don’t poke strange USB sticks into your devices.

June 30, 2017  8:48 AM

Microsoft-DoJ Case Headed to the Supremes

Sharon Fisher Sharon Fisher Profile: Sharon Fisher
government, Microsoft, privacy, Security

Experts who have been saying for a while now that the Microsoft-Department of Justice case would eventually end up before the Supreme Court are finally being proven right: the DoJ requested earlier this month that the Court handle the case.

As you may recall, the case, which started in 2014,  involved whether Microsoft must release data stored on one of its servers to a U.S. government agency, even though the data in question is outside the U.S., setting the stage for a massive worldwide confrontation on just who has the right to have access to data where. Most recently, in January the Second Circuit Court of Appeals denied a rehearing of the case, which left the Supreme Court as the only option.

Now, at the very last minute – and after two extensions – the DoJ has decided it wants to take the case to the Supreme Court to be decided once and for all.

Microsoft, as well as the other technology companies that have been anxiously watching the proceedings and filing amicus briefs, were surprised, because they had thought that the federal government had agreed with some lower courts that the real solution was a legislative one. This would most likely involve updating the 1986 Electronic Communications Privacy Act and the Stored Privacy Act on which the case was based.

Indeed, Sen. Orrin Hatch (R-Utah) (who is, incidentally, third in line to become President), put forth legislation last year, the International Communications Privacy Act, where it has languished since then. A legislative solution could solve a number of current problems, including making it easier to request such data from foreign governments.

In addition, a new law, the General Data Protection Regulation, governing this issue is also scheduled to take effect in Europe next year. “In less than one year, a new European data protection law will go into effect,” writes Brad Smith, Microsoft’s president and chief legal officer, in a blog post. “Under that law – called the General Data Protection Regulation – it would be illegal for a company to bring customer data from Europe into the U.S. in response to a unilateral U.S. search warrant.” Depending on how the Supreme Court rules, a vendor could find itself violating international law by following American law, or vice versa, he warns.

And the whole thing is predicated on treating digital data – by virtue of its accessibility – differently from other, physical, types of evidence, writes Karlin Lillington in the Irish Times. “If the desired evidence were concrete (say, paper documents) rather than digital, US authorities would have to use existing international law-enforcement agreements,” she writes.

A favorable Supreme Court ruling sets a dangerous precedent for the cloud computing industry, Lillington continues. “If the US government has the right to directly seize internationally-held data, then other countries will of course, expect the same right to in effect conduct international digital raids for American or other nations’ data, in the US or around the world, with near-impunity,” she writes. “This raises obvious data-protection, data-privacy, and surveillance concerns. It also completely undermines the whole concept of cloud computing – the movement and storing of data by organizations in international jurisdictions – and suggests businesses would have to run stand-alone operations and data centers in every geography in which they operate.”

Part of the problem is that while Microsoft has been prevailing legally, a similar, later case with Google was won by the government. In April, a federal magistrate judge in San Francisco denied Google’s attempt to quash a warrant seeking data stored abroad, writes Ben Hancock in Law.com. “It was at least the third such decision involving Google in as many months, and another magistrate judge in Florida in early April forced Yahoo to hand over data in a similar ruling.” Google, like Microsoft, prefers a legislative solution.

However, Google has also been using a different legal argument from the one Microsoft has been using, Hancock writes. “Microsoft argued that if authorities in New York wanted the email data in Ireland, all they had to do was go through a treaty process with Irish authorities,” he writes. “By contrast, Google has essentially argued—in part because of its practice of ‘sharing’ [he means “sharding” – he’s a lawyer, not an engineer] data into pieces spread across servers around the globe, for the purpose of network efficiency—that data stored outside the United States cannot be accessed by U.S. authorities or by authorities in any other jurisdiction.”

If the Supreme Court decides to hear the case, how the Court might rule is undetermined, particularly since there are a couple of new factors. First, the Court has a new member, so it can’t tie and not have its ruling used as a precedent. Second, the new member, Neil Gorsuch, is reportedly very conservative, even activist, according to the Los Angeles Times. Third, the rumor is that swing justice Anthony Kennedy is going to retire before the next session. All of these factors apparently make the government think it is more likely to prevail in this case, rather than waiting on the legislative solution — no matter the consequences.

June 28, 2017  6:40 AM

Micron Shuts Down Lexar

Sharon Fisher Sharon Fisher Profile: Sharon Fisher
Memory, Micron, Storage

New Micron CEO Sanjay Mehrotra, cofounder of SanDisk, who took over just in April, is apparently wasting no time: The company has shut down its Lexar primarily consumer division and is looking for ways to sell it.

“Micron Technology today announced that it is discontinuing its Lexar retail removable media storage business,” writes consumer products group vice president Jay Hawkins in a blog post. “The decision was made as part of the company’s ongoing efforts to focus on its increasing opportunities in higher value markets and channels.” Micron is “exploring opportunities” to sell all or part of the Lexar business, he continues.

Hawkins also didn’t say whether layoffs would be involved, though he did thank the Lexar team for its contributions. If Micron is pulling out of consumer products, one wonders how much longer he’ll be around, too.

Micron bought Lexar in 2006 but continued operating it as a separate division from the rest of the company, which sells its products to vendors. Lexar – which still has its own web pages up – was announcing new products as recently as February and March.

Interestingly, Lexar vice president and general manager Wes Brewer had written almost exactly a year ago about the use of storage in drones. With drones’ soaring popularity (sorry), it’s surprising that Lexar couldn’t find a way to make a go out of storage for the devices, nor that Micron would try to use Lexar as a way to get into that lucrative market.

Perhaps coincidentally, Micron is expected to announce its earnings on Thursday. Could it be that they’re going to be bad news and the company wants to either distract everyone or else make it clear that it’s addressing the issue?

And yet the majority of stock analysts believe that the company will beat its earnings projections. Micron stock has also been on a pretty steady upturn since FQ4’16, according to Estimize.

Analysts expect Micron Technology, Inc to report a revenue of $5.41 billion, good for 86.6% YoY growth and 16% sequential growth,” writes Kumar Abhishek  for Amigobulls. “On the earnings side, analysts expect Micron to report a non-GAAP EPS of $1.5, far higher than $0.02 loss per share the company had reported in the comparable quarter last year. Analysts estimates are in line with the company guidance for this quarter.”

“The third quarter is expected by analysts and by Micron management to be its most profitable quarter since 2013 and guidance for Q4 looks poised to be even better, almost exclusively on the back of a rebounding DRAM pricing environment,” predicts Kumquat Research in Seeking Alpha.

The company reported modest second-quarter fiscal 2017 results,” writes Zacks Equity Research.  “The top and bottom lines increased on a year-over-year basis, primarily due to pricing improvement in DRAM and NAND sales volume. We believe that the improving prices for DRAM and NAND chips make investors confident about Micron’s growth. Per various sources, the prices for these specific chips have improved primarily due to a better product mix optimization and higher-than-expected demand for PCs, servers and mobiles. We believe that any increase in prices will have a favorable impact on the company’s top line and the benefit is likely to flow down to the bottom line. The benefit from improved pricing was well reflected in the company’s last quarterly results. We anticipate these benefits to reflect in the to-be-reported quarter as well. Additionally, we are positive about the company’s strategy of enhancing its operating capabilities through acquisitions which are likely to boost its top-line performance.”

On the other hand, none of these rosy articles (even this gigantic one) don’t even mention Lexar, instead focusing on Micron’s DRAM business. So perhaps the company is intending to focus only on its most profitable line. Let’s hope it doesn’t regret putting all of its chips into one basket.

June 19, 2017  12:04 PM

Pence AOL Email Costs State $100K

Sharon Fisher Sharon Fisher Profile: Sharon Fisher
Email, government, privacy, Security

Here’s another reason why politicians shouldn’t use private email accounts to conduct official business: It can cost your state $100,000.

This is reportedly what the state of Indiana is spending to hire people to deal with the backlog of Freedom of Information Act (FOIA) requests for former governor, now vice president, Mike Pence after it was ascertained that he used an AOL.com email address for official business.

“Emails released to IndyStar in response to a public records request show Pence communicated via his personal AOL account with top advisers on topics ranging from security gates at the governor’s residence to the state’s response to terror attacks across the globe,” wrote Tony Cook for the Indianapolis Star when Pence’s AOL account was revealed in March.

In May, a number of papers reported on the FOIA backlog. “The administration of Pence’s successor as governor, Eric Holcomb, entered a one-year contract last month with a Shelbyville firm, McNeely Stephenson, to handle the ‘unusually high’ number of requests, records show,” writes the Associated Press. “More than 50 such requests are pending.”

“A portion of the requests are generic and ask for emails related to state business sent or received by Pence,” write Cook and Kaitlin Lange in the Indianapolis Star, adding that the paper has two outstanding requests of its own. “Others have asked for emails from Pence’s personal account relating to the 2016 election, voter fraud and RFRA. Among those making requests were national reporters from the New York Times and Rewire, a publication that covers reproductive health issues.”

Interestingly, Lange and Cook report that the $100,000 is to be divided, with $30,000 to be paid in 2017 and the remaining $70,000 in 2018, indicating that the law firm doesn’t expect to respond to the requests soon. On the other hand, if the years are fiscal years rather than calendar years, fiscal 2018 would start on July 1, 2017, and that time period would be less surprising.

It is not clear why Pence chose to use a personal email account for some messages, such as whether he was trying to hide the messages from Indiana citizens, or simply used whatever email address was convenient. The official response was, “Similar to previous governors, during his time as Governor of Indiana, Mike Pence maintained a state email account and a personal email account. As Governor, Mr. Pence fully complied with Indiana law regarding email use and retention. Government emails involving his state and personal accounts are being archived by the state consistent with Indiana law, and are being managed according to Indiana’s Access to Public Records Act.”

At that time, the office released 29 pages of email messages from Pence’s AOL account, but declined to release an unspecified number of others “because the state considers them confidential and too sensitive to release to the public,” Cook writes.

Yes, the messages too confidential and sensitive to release to his constituents were sent using AOL. Oh, and it got hacked. “Pence’s account was actually compromised last summer by a scammer who sent an email to his contacts claiming Pence and his wife were stranded in the Philippines and in urgent need of money,” Cook writes. After that, Pence reportedly set up a different AOL account.

Aside from the security aspect, the private email account also raises troubling issues of government transparency, Cook writes. “Advocates for open government expressed concerns about transparency because personal emails aren’t immediately captured on state servers that are searched in response to public records requests.”

And while Indiana state officials are advised to copy or forward their email messages involving state business to their government accounts to ensure the record is preserved on state servers, there is no indication that Pence took any such steps to preserve his AOL emails until he was leaving the governor’s office, Cook adds, when he sent his staff with 13 cartons of printed email messages to the Indiana Statehouse to be archived. The law firm is trying to get digital access to the messages to speed up the public records response process, according to the AP.

As you may recall, Pence criticized Democratic presidential candidate Hillary Clinton for using a private email server for all of her email messages. “Pence fiercely criticized Clinton throughout the 2016 presidential campaign, accusing her of trying to keep her emails out of public reach and exposing classified information to potential hackers,” Cook writes.

 But that’s different, Pence said.There’s no comparison whatsoever between Hillary Clinton’s practice — having a private server, misusing classified information, destroying emails when they were requested by the Congress,” he responded in March to the Indianapolis Star article. “We have fully complied with Indiana’s laws. We had outside counsel review all of my previous email records to identify any that ever mentioned or referenced state business.”

Pence supporters also say that sending all messages through a private email server that one controls is not the same thing as sending some messages through a commercial email provider. One can argue the relative benefits and weaknesses of the two systems.

Good news, though: Pence has reportedly stopped using AOL since taking office as vice president.

Forgot Password

No problem! Submit your e-mail address below. We'll send you an e-mail containing your password.

Your password has been sent to: