Yottabytes: Storage and Disaster Recovery

November 20, 2019  11:25 PM

Cops Now Using Warrants to Gain Access to Genetic Databases

Sharon Fisher Sharon Fisher Profile: Sharon Fisher
Database, Storage

As you may recall, last year police officers were able to track down a murderer through relatives in a genetic database. Now, it’s gone one step further: Police have succeeded in using warrants to gain access to genetic databases to search for suspects.

Police first started using genetic databases for law enforcement in 2015. In fact, in some cases, they started asking people for DNA samples to prove they weren’t suspects in cases.

In response to the 2018 case, genetic database companies started writing and following best practices guidelines regarding the use of their data in law enforcement. (The agreement, however, didn’t cover GEDMatch, the open source database used by law enforcement to track down the alleged “Golden State Killer.”) Even before that, in response to the 2018 case, people started making their genetic records private.

In September, the U.S. Department of Justice issued a policy limiting searches by federal law enforcement agencies to violent crimes and DNA profiles with user consent, writes Jocelyn Kaiser in Science. But that wasn’t enough.

“What experts really worry about is that police may seek warrants to access all of GEDMatch’s data,” Tina Hesman Saey wrote – presciently, as it turns out – in Science News in June.

Now, a police officer in Florida actually has gotten a search warrant for all the records in a GEDmatch database – including the ones that had made themselves private.

“A Florida detective announced at a police convention that he had obtained a warrant to penetrate GEDmatch and search its full database of nearly one million users,” write Kashmir Hill (who’s been writing about genetic databases since at least 2010) and Heather Murphy, in the New York Times. “Legal experts said that this appeared to be the first time a judge had approved such a warrant, and that the development could have profound implications for genetic privacy.”

You think?

While GEDmatch has about a million users, other genetic databases are much bigger, and now that a precedent has been set, law enforcement may go after those other databases as well, Hill and Murphy write. “DNA policy experts said the development was likely to encourage other agencies to request similar search warrants from 23andMe, which has 10 million users, and Ancestry.com, which has 15 million,” they write. “If that comes to pass, the Florida judge’s decision will affect not only the users of these sites but huge swaths of the population, including those who have never taken a DNA test. That’s because this emerging forensic technique makes it possible to identify a DNA profile even through distant family relationships.”

If GEDmatch isn’t very big, why did law enforcement professionals start there? Because GEDmatch is open source and was easiest to access, they add. (In fact, for the 2018 case, police didn’t even alert GEDmatch they were doing so.)

That said, one researcher was surprised that GEDmatch didn’t fight back against the warrant, and felt that bigger genetic database companies would probably protest such warrants more strongly.

And, in fact, 23andMe did write a blog post saying it would fight such warrants. “If we had received a warrant, we would use every legal remedy possible,” writes Kathy Hibbs, the company’s chief legal and regulatory officer.

But not even that might help, Kaiser writes, quoting Natalie Ram, a law professor at the University of Maryland’s Carey School of Law in Baltimore.

It’s not clear whether the DNA company or a criminal defendant would have the right kind of interest in the DNA and privacy rights at issue to even be able to challenge the warrant effectively. (That is, it’s not clear either has ‘standing’),” Ram says. “So, we might discover that this is a situation in which, as a practical matter, there is no one who can effectively challenge this warrant. And that’s not a good place for the law to be.”

What makes that an issue? “Last year, researchers calculated that a database of about 3 million people would allow for the identification of virtually any American of European descent,” Saey writes. With access to those two companies’ databases, law enforcement would be solving cases every day, she quotes one genetic genealogist as saying.

Moreover, at around the same time, a University of Washington study found that genetic databases were subject to fraud. In other words, it was possible to create a fake person who was related to a real person.

“Researchers at the University of Washington have found that GEDmatch is vulnerable to multiple kinds of security risks,” writes Sarah McQuate for UW News. “An adversary can use only a small number of comparisons to extract someone’s sensitive genetic markers.”

How many? Just 20 – and it would take about ten seconds to do, she writes.

“The team played a game of 20 questions: They created 20 extraction profiles that they used for one-to-one comparisons on a target profile that they created,” McQuate writes. “Based on how the pixel colors changed, they were able to pull out information about the target sequence. For five test profiles, the researchers extracted about 92% of a test’s unique sequences with about 98% accuracy.”

It doesn’t stop there. “A malicious user could also construct a fake genetic profile to impersonate someone’s relative,” McQuate writes. “Once someone’s profile is exposed, the adversary can use that information to create a profile for a false relative. The team tested this by creating a fake child for one of their experimental profiles. Because children receive half their DNA from each parent, the fake child’s profile had their DNA sequences half matching the parent profile. When the researchers did a one-to-one comparison of the two profiles, GEDmatch estimated a parent-child relationship.An adversary could generate any false relationship they wanted by changing the fraction of shared DNA,”

Now, put those two things together. Will we have police creating fake relatives to justify gaining access to the DNA records of real suspects? The September policy is supposed to forbid that, but it applies only to federal searches, Kaiser writes.


November 14, 2019  9:56 AM

Laptop Border Searches Now Require Probable Cause

Sharon Fisher Sharon Fisher Profile: Sharon Fisher
government, privacy, Security

It’s safe to bring your cell phones and laptops into the United States again.

The Electronic Frontier Foundation (EFF) has for some time been pushing for a case to expand the provisions of the Riley case, which stated that law enforcement officials needed a warrant to search someone’s cell phone, to Customs and Border Patrol (CBP) searches. “We are eager to further the law in this area—to make it clear that the Riley decision applies at the border,” the organization wrote at the time, urging people to let it know when they undergo a border search.

Now, it got it, with a summary ruling from the U.S. District Court in the District of Massachusetts, in Boston.

The result is that border officers must now demonstrate individualized suspicion of illegal contraband before they can search a traveler’s device, writes the EFF, which has published a guide on border searches and in general has collected information about such cases.

“The ruling came in a lawsuit, Alasaad v. McAleenan, filed by the American Civil Liberties Union (ACLU), Electronic Frontier Foundation (EFF), and ACLU of Massachusetts, on behalf of 11 travelers whose smartphones and laptops were searched without individualized suspicion at U.S. ports of entry,” the EFF writes.

Ten of the plaintiffs were U.S. citizens, while the other was a lawful permanent resident.

The U.S. has had a policy since 2009 that border agents can demand access to a smartphone within 100 miles of the border – which covers much more U.S. territory than you’d think. According to the American Civil Liberties Union (ACLU), as of 2006, more than two-thirds of the U.S. population lived within 100 miles of the border. Altogether, it meant that anyone in that area with a laptop could have that laptop seized without a warrant, at any time, taken to a lab anywhere in the U.S., have its data copied, and searched for as long as Customs deemed necessary. And despite their objections, the policy has largely been upheld.

In 2015, a judge ruled that – following the lead of the Supreme Court ruling on the Riley case– customs officials needed to have probable cause before it could search someone’s laptop. The problem with that ruling is it applied just to that one case, not overall.

This new filing applies to everyone – at least, for now. Presumably the federal government could appeal the case to the Supreme Court.

This case was filed in 2017, which is when a number of people started reporting anecdotally that they had had their devices searched. In one case, a US-born NASA engineer who worked with the federal government and was also a part of the Customs and Border Protection Global Entry program was told he couldn’t re-enter the U.S. until he unlocked his encrypted NASA phoneSeveral other incidents have also happened over that summer, reported the Electronic Frontier Foundation.

In particular, this happened with the press. Even a Canadian journalist was denied entry to the U.S. for refusing to unlock his phone, and a Wall Street Journal reporter had the same experience, though customs agents backed down when she told them to call the paper. A BBC reporter also had to turn over his phone.

One of the plaintiffs, an incoming Harvard freshman, not only had his phone searched but had his visa denied because of what border officials said were anti-American posts in his social media.

In April, the ACLU and the EFF reported that searches were becoming so egregious that they asked for a summary judgment without a trial. That is what happened here.

In general, the number of searches has increased sharply in recent years. Last year, CBP conducted more than 33,000 searches, almost four times the number from just three years prior.

October 31, 2019  10:56 PM

Drivers Deal With Tesla Flash Memory Problem

Sharon Fisher Sharon Fisher Profile: Sharon Fisher
Flash memory

One of the criticism about flash memory is that, while it’s fast to read, writing on it multiple times wears it out and its performance decays. Flash memory vendors have been saying that this is a problem they’ve been working on. But they might have a bit of a problem after a recent incident.

It turns out that Tesla cars, which use flash memory, log so much data that it froached the cars’ memory and bricks the cars, which requires a repair that can cost $1,800 or more.


The problem first started being reported in May, when a video was posted to YouTube describing the problem, writes Jason Koebler in Vice.

Three different auto shops reported the problem, writes Gustavo Henrique Ruffo in Inside EVs. “They aim to warn Tesla owners that the clock is ticking for all of them,” he writes. “Regardless of your car, the logging will require replacing your MCU sooner or later.”

The problem is that the size of the firmware has grown, and it’s now starting to compete with the logs, Ruffo writes. That means there’s no extra space on the chip to write data when it’s trying to write the data more evenly, he writes.

“Apparently, Tesla is overworking these systems (at least on some models) to a point where they can’t take it anymore,” writes Matt Posky in The Truth About Cars. “It’s basically the same thing that would happen if you filled and wiped a USB drive hundreds of times every day. One morning you’d plug it in and find that it’s no longer functional due to being burnt out from overuse.”

Each of the three repair shops said they had encountered at least a dozen cars with the problem in just the last couple of months.

Drivers have also been reporting the problem, which, in an annoying coincidence, apparently tends to happen around the time that the warranty runs out, after about four years or so.

Moreover, it’s not a problem that’s getting better with newer models, because the newer models do even more logging than older ones, Ruffo writes.

The other part of the problem is that the chip is soldered to the board, meaning the whole board has to be replaced. Some of the auto shops reported that they were creating sockets on the board to make it easier to replace the chips in the future.

In response to one Twitter discussion of the problem, Tesla founder Elon Musk said the problem should be “much better at this point,” Posky writes.

But people were dubious, writes Dan Robitzski in Futurism.com. “Without specifying how or why, Musk replied that the problem should ‘be much better at this point’ – drawing immediate skepticism from the engineer and others who didn’t see any evidence of a fix,” he writes.

Mechanics and drivers are suggesting that the company should reduce the amount of logging that the car does.

Tesla owners who are still under warranty are urged to try to update the faulty part.

Ultimately, it’s not only bad for Tesla cars on their own, but for flash memory in general.

October 26, 2019  11:51 PM

A $176 Million Victory in HP Optical Disk Drive Case

Sharon Fisher Sharon Fisher Profile: Sharon Fisher
HP, Storage

HP’s back in court again, but unlike its battles with Autonomy, it’s pretty clear that it’s in the right in this case.

As it turns out, “Quanta Storage and Quanta Storage America participated in a massive conspiracy to fix and maintain artificially inflated prices for optical disk drives (ODD),” writes Natalie Posgate for the Dallas Business Journal.

A Houston federal jury recently awarded HP a $176 million verdict after determining the Taiwanese Quanta and its U.S. affiliate violated U.S. antitrust laws, Posgate writes. Moreover, because the jury found that Quanta knowingly and intentionally violated U.S. antitrust laws, HP’s lawyers will ask the judge to triple the verdict amount, she adds.

Quanta isn’t alone. A number of manufacturers reportedly worked together to on price fixing – to the extent that they exchanged email with each other, with the subject line “price fixing,” writes Michelle Casady in Law360. “Other emails used slightly more coded language, calling for meetings among the sales representatives to discuss ‘consensus on price protection,’” she writes in a different Law360 article.

“HP sued Quanta and several tech giants in 2013, alleging the group carried out their price fixing conspiracy, which lasted between 2004 and 2010, by rigging bids for ODDs during procurement events that HP conducted,” Posgate writes. “As a result, HP alleged, it paid higher prices for ODDs than it would have paid in a competitive market.”

But most of the companies originally named in the lawsuit in 2013 — including Toshiba Corp., Hitachi-LG Data Storage Inc., Panasonic Corp., Sony Optiarc Inc., NEC Corp. and Samsung Electronics Co. Ltd. — had entered confidential settlement agreements with HP by 2017, leaving only Quanta to face trial, Casady writes.

HP’s not alone. ODD vendors also defrauded individual purchasers at the same time, writes Melissa Daniels in Law360. Direct purchasers, as well as indirect purchases, also brought claims in the MDL, which resulted in a $37 million settlement proposed in November 2015, she writes. A settlement fund for the indirect purchasers totaled around $175 million, she adds.

In fact, as long ago as 2011, three South Korean executives of Hitachi-LG Data Storage Inc. not only agreed to plead guilty but also to serve prison sentences in the U.S. for conspiring to fix prices for optical disk drives sold to Microsoft Corp. and others, including Dell and HP, writes Melissa Lippman in another Law360 article. Two of them agreed to serve eight-month sentences, while the other was to serve a seven-month sentence, plus they needed to pay a $25,000 fine, she writes.

Hitachi-LG itself agreed to pay $21.1 million and cooperate with the investigation in order to resolve similar charges, Lippman adds.

Obviously, this sort of thing has been going on for years with a wide variety of vendors.

So open-and-shut was the HP case that the jury reportedly deliberated for less than five hours before returning their verdict, Casady writes.

That’s a big difference from the Autonomy case – which is still going on – where HP has been made fun of by not only opposing counsel but also the judge, such as being told the deal failed because of its incompetence.

October 22, 2019  9:36 AM

Nuclear Missiles No Longer Controlled by 8-inch Floppy Disks

Sharon Fisher Sharon Fisher Profile: Sharon Fisher

As you may recall, back in 2014 the Air Force came under some derision when it was revealed that they still used 8-inch floppy disks to control nuclear missiles.

At the time, this was revealed to us by 60 Minutes’ Lesley Stahl, in an awestruck are-all-these-your-guitars piece about who’s minding the nuclear store.

“But the equipment is ancient,” reads the transcript. “This, for example, is one of the computers that would receive a launch order from the president. It uses floppy disks! The really old, big ones.” Deputy Dana Meyers, 23, dutifully reported that she had never seen one before working in the missile silo.“

In 2016, there was another flurry of attention over the issue when the Government Accountability Office issued a report mentioning them.

While people mocked them at the time, and there is always the issue of no longer being able to find 8-inch floppy disks (though they’re still available online, even if you’re not the Air Force) the move – or lack of one, as the case may be – made sense for two reasons.

First of all, if it isn’t broke, don’t fix it. Especially with something like missiles. It’s not like it was an operations level database that needed to be kept up-to-date for performance or compatibility reasons. How much would it cost to update that system, just to avoid using 8-inch floppy disks?

Second is security through obscurity. While it’s not impossible to find 8-inch floppy disks, using old technology like that can be more secure simply because people don’t know how to break into it.

This is not universally true, of course. Some older technology doesn’t have any security features at all, such as controllers and utility grid equipment, and that’s being a problem in this day and age of connected everything.

In any event, apparently the Air Force got tired of people making fun of it for this, because it recently announced that it would be phasing out the 8-inch floppy disk-based system.

“At long last, that system, the Strategic Automated Command and Control System or SACCS, has dumped the floppy disk, moving to a “highly-secure solid state digital storage solution” this past June, said Lt. Col. Jason Rossi, commander of the Air Force’s 595th Strategic Communications Squadron,” writes Valerie Insinna in C4ISRNET, a defense technology publication.

The SACCS messaging system has been used with the Minuteman intercontinental ballistic missile (ICBM) system, the land-based nuclear option operated by the U.S. Air Force Global Strike Command, writes Zak Doffman in Forbes. “It is a network of hidden underground missile silos connected by endless secure cabling. All of which has been controlled by a 1970s computer system and those disks.”

“It’s the age that provides that security,” Insinna writes that Rossi said in an October interview. “You can’t hack something that doesn’t have an IP address. It’s a very unique system — it is old and it is very good.”

The downside is the cost. The system cost $61 billion a year to maintain, wrote Conor Allison in Popular Mechanics in 2016. The other issue is that newer airmen joining the Air Force don’t know how to maintain the system, meaning the Air Force has had to rely on grizzled civilians to maintain it, Insinna writes.

Exactly what it’s been replaced with, Rossi wouldn’t say. Perhaps ZIP disks?

October 13, 2019  12:23 PM

Interesting Insights from Video Game Archeology

Sharon Fisher Sharon Fisher Profile: Sharon Fisher
Storage, Video games

It’s amazing how much computer scientists of today are learning from the stored data in old video games.

As you may recall, a couple of years ago some British researchers went to all sorts of efforts – including baking old tapes in an oven – to read the data from a series of text-based adventure games called Magnetic Scrolls. Baking the tapes was required because, in the years since the tapes were made, they started accumulating water and got sticky, which meant they weren’t able to play.

Now, there are people called “video game archeologists” who study old video games – not just to relive their childhoods, but to look at  programming techniques of the era. Because of hardware and software limitations, these programs often use remarkably imaginative techniques to work around these limitations.

In this particular case, it was a game for the Atari console called Entombed. It was a pretty obscure game, but that was the point, explained John Aycock at the University of Calgary, in Alberta, Canada, in a 33-page paper explaining the project. He teaches a class in retro game programming, and he wanted to find a game that hadn’t already been extensively studied.

Of course, Aycock and his co-author, Tara Copplestone at the University of York, UK, left out one of the most intriguing aspects of it. “We began by manually reverse-engineering the relevant parts of Entombed’s binary code, via both static and dynamic analysis using the Stella Atari 2600 emulator.” Okay. But how did they get the binary code from the cartridge into the emulator in the first place? No clue. Argh.

Like many games of that era, Entombed used a maze, but not just any maze. “Although the blocky, two dimensional mazes from entombed might look simple by the standards of today’s computer graphics, in 1982 you couldn’t just design a set of mazes, store them in the game and later display them on-screen – there wasn’t enough memory on the game cartridges for something like that,” writes Chris Baraniuk for the BBC. “In many cases, mazes were generated ‘procedurally’ – in other words, the game created them randomly on the fly, so players never actually traversed the same maze twice.”

Anyway, as it turns out, the game has one of those sections of code that many of us remember, that basically are commented “We don’t know how this section of code works, but don’t change it or it breaks the program.” The game uses a table to generate the maze, and neither today’s researchers nor the original writers – several of whom they tracked down and interviewed – know how the table works or how it came to be created. (Especially since, in this particular case, there weren’t even any comments, Aycock writes.)

“The best guess the pair have is that the programmer behind the maze algorithm must have manually fine-tuned the table values until the game worked as desired, but that still doesn’t really explain the logic behind it,” Baraniuk writes.

Alcohol may have been involved.

Aycock got two different stories about how the maze generation section of the code was created. “Regardless of which version of events is followed, it seems fair to say that some level of intoxication was involved in the development of the maze algorithm,” he writes.

Curious about video game archeology? As it happens, there’s a section of the Internet Archive called the Internet Arcade, which includes almost 2,000 arcade games, dating back to the 1970s, which have been emulated and can be run from a browser.

Good luck, Indiana Jones.

September 30, 2019  11:01 PM

Why You May Not Want to Sign Up for the ‘Storage for Life’ Deal

Sharon Fisher Sharon Fisher Profile: Sharon Fisher

The other day, everywhere I looked, I saw an article about the same product.

5 terabytes of cloud storage! For $99! 89% off! For life!

As an indication of how awesome that deal is, I pay $99 for 2 terabytes from Google now. And that’s per year, not for life.

Yet I didn’t jump all over this deal. Why not? What’s wrong with me?

“For life” is a long time. (Hopefully.) And I’ve been covering storage long enough to know that “unlimited” – whether it’s time or size –doesn’t last forever.

Back in the day, when personal cloud storage was just getting going, a number of major providers were offering unlimited data storage. And, one by one, they all quit, because they found out that, for some people, “unlimited” storage is like the buffet at Golden Corral, and they just hadn’t figured how much some people could eat.

And “forever” is worse.

I don’t want to pick on these people. The Polar Backup people – it’s called that presumably because it’s based in Finland – may be very nice and completely aboveboard. They may genuinely believe that they can promise to offer data storage for life.

But I wouldn’t want to bet on it. Because a lot of things can happen to a computer company.

In looking at the Polar Storage website – I had never heard of the company before – it turns out they’ve been around for all of two years. At least, that’s how long they’ve been developing this service.

And they’re promising forever?

If you read the FAQs and the terms and conditions and such – you know, the stuff that nobody ever reads – it starts sounding even more dicey. It’s not like it’s particularly out of the ordinary for cloud storage companies, but it doesn’t sound like forever.

“In the event of a change in ownership, or a direct merger or acquisition with another entity, we reserve the right to transfer all of Polar Backup User information, including Personal Data, to a separate entity. We will use commercially reasonable efforts to notify you (by posting on our website or an email to the email address you provide when you register) of any change in ownership, merger or acquisition of Polar Backup assets by a third party, and you may choose to modify any of your registration information at that time.”

“Polar Backup reserves the right in our sole discretion to revise, amend, or modify this policy and our other policies and agreements at any time and in any manner.”

“Polar Backup may (i) automatically update Polar Backup Products installed on your computer without your prior notice, (ii) upgrade, enhance, change and modify (collectively, the “Enhancements”) Polar Backup Products, or (iii) discontinue or retire Polar Backup Products or any aspect or feature of Polar Backup Products, including the types of files and data that are backed-up (not every file on your computer is backed-up) or the availability of Polar Backup Products on any particular device or communications service at any time and from time-to-time in its sole discretion. “

“Polar Backup will use reasonable efforts to provide notice of material changes to the Polar Backup Products or changes to these Terms by posting them to Product Agreement. It is your responsibility to periodically check Polar Backup website to inform yourself of any such modifications. Changes to these Terms, which may be made in Polar Backup sole and exclusive discretion, will be effective upon acceptance of these Terms (as described herein) for new subscriptions and effective for all existing users thirty (30) calendar days after the posting of the new Terms on Polar Backup website at Product Agreement You agree to be bound to these Terms, as modified.”

So are you prepared to log into Polar Backup once a month, for life, just in case the company has changed its terms?

“These Terms, your license and your subscription to the Polar Backup Products will automatically terminate or expire upon the earlier of (i) non-renewal, cancellation, or expiration of your subscription or your failure to pay invoices when due, (ii) Polar Backup discontinuance of the Polar Backup Products, or (iii) failure to comply with these Terms. If any third party makes an intellectual property infringement claim relating to the Polar Backup Products,”

Yes, if they discontinue the products, they won’t work anymore.

“At any time during the term of a product’s life cycle, Polarbackup may increase or decrease its prices for any of its products without notice.”

About that price:

“Polar Backup’s cloud storage plans usually start at $390, but right now you can buy peace of mind and easy file management for 89% off.”

Now why in the world would a company do that? If it was trying to seize market share, or if it were in trouble. Otherwise it’d be tough to try to reduce its charges by 89% lest it tick off all its existing users, because this deal is only good for new users.

And 89% is quite a discount. It’s going to have trouble raising prices ever, or people will start asking why they can’t get the discount anymore.

Sadly, none of the dozen or more websites that advertised this deal brought up any of this. It was all, hey! Look at this deal! Wow!

And they may be right.

But when something sounds too good to be true, it probably is. And I will be interested to see how long Polar Backup stays around.

September 29, 2019  12:06 AM

Baltimore Ransomware Attack Still Causing Problems

Sharon Fisher Sharon Fisher Profile: Sharon Fisher
government, Security

While a number of cities have been hit by ransomware in the past year, few have been hit as hard as Baltimore – but as time goes on, it‘s starting to sound like the city has no one to blame but itself.

It all started in May when several city services went down and the city received a ransom note. Baltimore was then told it needed to pay 13 bitcoin – about $76,000 – to get its data back.

However, city officials refused to pay. That wasn’t to save it money, though. “City officials expect to spend about $10 million rebuilding and replacing affected systems, and take an additional $8 million hit from lost revenue,” writes Benjamin Freed in StateScoop.

Naturally, Baltimore has been trying to understand how this all happened – and it’s asking itself some pretty hard questions. Sadly, it mostly seems to be trying to come up with pretty good excuses.

In the process of this introspection, city officials discovered that Baltimore didn’t have a disaster recovery plan, and that it would take nine months to develop one.

It didn’t have cyber insurance, either. Though hey! It’s considering it!

As it turns out, the city hadn’t been backing up employee hard disk drives anywhere, and data was stored only on individual PCs – which meant it got wiped out in the ransomware attack.

That also meant that the city had trouble during a recent audit.

“Baltimore’s IT agency could not prove that it was meeting certain performance metrics in a recent audit because the relevant data had been stored locally on employees’ computers that were corrupted by a ransomware attack that crippled the city’s municipal networks earlier this year,” Freed writes.

One member of the city council – who chaired the audit committee – was also a former federal IT auditor.

“Wow. That’s mind-boggling to me,” he said, Freed writes. “Do they really understand that’s an issue? Because they’re the agency tasked with educating people that that’s the problem.”

It’s especially mind-boggling because not only had Baltimore had been hit by ransomware just the year before, but the city was warned that it was vulnerable to such an attack a couple of years before. “The risk assessment — which appears to be from before September 2017, when the Baltimore City Information & Technology office took its current name — focused on a pair of servers responsible for more than 100 applications operating on a version of Microsoft Windows that is no longer supported by the technology giant,” writes Freed in a different StateScoop article.

“Despite the two attacks, [IT Director Frank] Johnson said that the city’s computer systems have strong defenses,” wrote the Baltimore Sun in May.

Not surprisingly, Johnson – the highest-paid executive in Baltimore city government — was out of office on leave by September. The new IT director started as Johnson’s deputy one day before the May attack.

But things are better now, right?

Well, except for last week, when county computers went down, reportedly due to a storage issue.

September 25, 2019  9:10 AM

Western Digital 20-TB Hard Disk Drive Announced

Sharon Fisher Sharon Fisher Profile: Sharon Fisher
Storage, western digital

Five years ago this month, I wrote about Western Digital announcing a 10-terabyte (TB) hard disk drive. Which makes it appropriate that, this month, Western Digital has now announced a *20*-TB hard disk drive.

“Western Digital announced that it would ship 18 TB conventional magnetic recording (CMR) and 20 TB shingled magnetic recording (SMR) HDDs in the first half of 2020,” writes Tom Coughlin in Forbes. “This helium-sealed 9-disk HDD platform is said to have ‘…leveraged energy-assisted recording technology to deliver areal density leadership at the highest capacity available.’”

Well, at least until five years from now.

Incidentally, 10-TB hard disk drives are now considered to be “commodity” hard disk drives, at least according to Backblaze, which is now using 10-TB Seagate drives – as well as other hard disk drives up to 14 TB – in its storage pods. It doesn’t use the Western Digital ones because it has trouble getting them in quantity, director of compliance Andy Klein wrote earlier this year.

Western Digital said it will sample the 18TB Ultrastar DC HC550 CMR HDD and the 20TB Ultrastar DC HC650 SMR HDD to customers by the end of 2019, Coughlin said.

Like the 10-TB hard disk drive, the new 20-TB hard disk drive uses shingled magnetic recording technology, which puts more data in the same space though it’s is slower. For the 10-TB hard disk drive, Western Digital came right out and said it was mainly intended for “cold storage” facilities, and that is presumably true of the new one as well.

That means “slow,” because you put stuff in cold storage that you don’t need all the time, and so you spin down the drives rather than keep them running all the time because it saves energy. So every time you retrieve something from cold storage, you have to go kick the drive to start it up again. It’s like keeping the beer in the fridge out in the garage. You can put a lot more beer out there, but you have to traipse out to the garage every time you want a beer.

Coughlin did cite Western Digital as saying that the drives are targeted at data center applications and that the company estimated that 50 percent of its hard disk drive exabytes shipped will be on SMR by 2023. The press release also quoted the vice president of engineering at Dropbox.

Another big customer is likely to be DDN, which Western Digital recently announced would be buying the company’s IntelliFlash business as part of its plan to exit from storage systems. At the same time, though, the two companies agreed to a multi-year strategic sourcing agreement, under which DDN will ncrease its purchase of Western Digital’s HDD and SSD storage devices, according to a Western Digital press release.

According to Coughlin, Western Digital holds 37 percent of the hard disk drive market, while Seagate holds 40 percent and Toshiba holds 23 percent.

The company didn’t say how much the new hard disk drives would cost.

Disclaimer: I am a Backblaze customer.

September 8, 2019  9:11 PM

Government Wants User Download Data from Apple, Google

Sharon Fisher Sharon Fisher Profile: Sharon Fisher
Encryption, government, privacy, Security

We’ve written more than once about government efforts – in the name of fighting crime, of course – to track down everyone in a particular area where the crime was committed. But there’s a new wrinkle.

The Department of Justice and the Immigration and Customs Enforcement Department are now working to obtain a court order to force Apple and Google to give it the names, as well as phone numbers and IP addresses, of everyone who’s downloaded a particular application since August, 2017, plus whenever they’ve used it. The application in question is called Obsidian 4 and is put out by night-vision specialist American Technologies Network Corp. (ATN). Its purpose is to let gun owners get a live stream, take video and calibrate their gun scope from an Android or iPhone device,  according to Thomas Brewster in Forbes, who broke the story.

While other governments have made similar requests in the past – Brewster describes one non-U.S. government that asked one global technology company for the names and addresses of 58 million users of a single app so it could trace a suspected terrorist cell plotting a suicide bomb attack – this is the first time the U.S. government has tried this, he writes.

The issue is illegal exports of ATN’s scope, which is controlled under the International Traffic in Arms Regulation (ITAR), though the company itself isn’t under investigation, Brewster writes.

Likely this would be considered a “third party” request because the government isn’t requesting the information from the users themselves, but from third parties to which the users had given their information. In the Carpenter case, the Supreme Court ruled that such requests about individuals required a warrant.

However, the Supreme Court also ruled that “tower dumps” – in other words, a download of information on all the devices that connected to a particular cell site during a particular interval — are okay. Or, at least, when ruling on Carpenter, they didn’t rule that they weren’t okay. It could be that the court will see these as similar situations, or will at least allow the Department of Justice access to some of the information, with the ability to issue a warrant to get the remaining data for any individual who looks particularly suspicious.

Needless to say, conservative websites are having kittens about this, because they see it as a back door to track down gun owners.

“Allowing this request to go through would create dangerous precedents,” writes Beth Baumann is Townhall, which describes itself as the leading source for conservative news and political commentary and analysis. “The most dangerous aspect though is the government being able to pinpoint every single person and every single firearm a person has. It’s a form of a gun registry…without calling it that.”

According to American Military News, ATN wasn’t contacted about the court order, and intends to protect its customer data to the extent it is allowable under law.

If the idea is actually to track down overseas users of the application, the government should do that, writes Jazz Shaw for HotAir, a sister publication of Townhall. “Why ask for the data for all users?” he writes. “Surely Google and Apple could provide the user data for just those users outside the United States, right? Why not just ask for that if there are no issues with people using the scopes or the app in America? Seems like a reasonable compromise that both the government and the tech giants could see eye to eye on.”

But the problem with this request is actually broader than that. Keep in mind that, at various times, the government has made certain computer things illegal, ranging from public-key encryption to online gambling. What would it be like if the government could then track down everyone who had downloaded such applications and bust them for owning them?

For example, if the FBI succeeds in outlawing encryption, will the government be able to track down everyone who’s ever downloaded WhatsApp, even if they don’t realize it uses encryption and didn’t download it for that purpose? Or, in a hypothetical oppressive U.S. government that outlawed social media or the use of the Internet altogether, what if the government could get the names and contact information for everyone who ever downloaded Twitter or a TCP/IP stack?

A security analyst quoted by Brewster also notes that people don’t necessarily download an app to use it, but could be checking it for security vulnerabilities and other uses. People could also be less willing to use Google and Apple app stores in response to this, the analyst added.

Another concerning aspect is that the court order was supposed to have been sealed, and Forbes apparently managed to get a copy of it beforehand. One would assume future court orders won’t make that mistake, and people won’t even be able to find out about them.

Presumably the various civil liberties organizations, not to mention Google and Apple themselves, are lawyering up to stop this. Because the precedent, if this passes, is pretty scary.

Forgot Password

No problem! Submit your e-mail address below. We'll send you an e-mail containing your password.

Your password has been sent to: