Codsmack

Andrew Johnson – a vice president whose ascension to the presidency may have had a major impact on history.

Tonight’s vice presidential debate probably won’t matter much to the outcome of the presidential race. But there is good reason to pay attention to the VP nominees nonetheless.

This year, even more than in most election cycles, the vice presidential nominees have been obscured by the people at the top of the ticket. Hillary Clinton and Donald Trump are two of the most controversial and widely hated presidential candidates of modern times. As public attention focuses on them, there is little interest in Tim Kaine and Mike Pence. A recent ABC News poll found that 46 percent of Americans cannot even correctly recall Kaine as the Democratic VP nominee, and 41 percent could not correctly name Pence as the Republican candidate. Many of those voters who do know Kaine and Pence’s names probably don’t know much more about them than that. It’s yet another example of widespread voter ignorance.

Perhaps such ignorance is not a problem, because the vice presidency doesn’t matter much. As the saying goes, their only really important job is waiting around the for the president to die. But, in reality vice presidents often matter a great deal.

For one thing, waiting around the for president to die is actually a very important job. Eight presidents have done just that while in office, and been succeeded by their VPs. A ninth vice president – Gerald Ford – became president when Richard Nixon was forced to resign by the threat of impeachment. All told, over twenty percent of presidents have had their term cut short by death or resignation, leading to the succession of their VP. Such a high chance of ascending to the presidency is by itself enough to make the vice president important, even if he or she does not matter in any other way.

Some of the VPs-turned-presidents had a major impact on history. Harry Truman made the decision to drop the atomic bomb on Hiroshima and laid the foundations for Cold War-era US foreign policy. Andrew Johnson, who became president after Abraham Lincoln’s assassination, undermined the effectiveness of Reconstruction by impeding efforts to protect the rights of newly freed African-American slaves. Some scholars believe that Reconstruction would have gone much better if Lincoln had lived, or if he had selected a vice president more sympathetic to African-American rights.

The chance of a VP succession may be higher with Clinton and Trump than with most other modern presidential candidates. Trump is 70 years old, and Hillary Clinton will turn 69 this year – relatively advanced ages for a newly elected president. Moreover, both have a history of scandals, which increases the likelihood of impeachment.

Those VPs who don’t get into the Oval office because of death or impeachment are still often able to use it as a stepping stone to winning their party’s presidential nomination in the future – as happened with Richard Nixon, Walter Mondale, and George H.W. Bush. While the office has little formal power, it is visible enough that the vast majority of voters come to know the vice president’s name during his four or eight years in office, even if they did not know it before he got elected. Such name recognition is a major advantage in primary races.

Finally, at least a few vice presidents exercise significant influence over policy. Dick Cheney’s major role in foreign policy under George W. Bush is a particularly notable example.

This year’s VP nominees are notable for being far preferable to their parties’ presidential nominees. Tim Kaine deserves credit for his principled stand in favor of enforcing constitutional limits on presidential power – opposing unconstitutional initiation of war by a president of his own party. By contrast, Hillary Clinton was one of the principal initiators of the unconstitutional Libya war, which President Obama now concedes was his “worst mistake.”

Mike Pence has not taken any comparably admirable principled stances. But he is at least more competent and knowledgeable, and less authoritarian than Donald Trump. Before becoming the VP nominee, he also differed with much of Trump’s horrendous policy agenda, though he has not dared to speak out against it since then.

But, however we evaluate Kaine and Pence, they are worth paying serious attention to. There is a real chance that one of them might become president himself in the not-to-distant future.

(Here is the latest edition of the Institute for Justice’s weekly Short Circuit newsletter, written by John Ross.)

Is judicial engagement little more than a camouflaged appeal for more libertarian judicial outcomes? Not a bit of it, argues Evan Bernick of the Center for Judicial Engagement, responding to a critique of his lead essay over at Cato Unbound. Click here to read more.

This week on the podcast: One of IJ’s newest litigators, Josh House, talks bogus arson charges and illegal marijuana prosecutions.

• Regulator to regulated: “We don’t care what the law says, if you want to beat us, you will have to fight us.” The D.C. Circuit (over a dissent) characterizes the NLRB’s policy towards employers (accused of a particular wrongdoing) thusly, and awards attorneys’ fees to one employer forced to waste resources defending against the NLRB’s bad-faith litigation tactics.
• There is no evidence that the practice of taking a photo of one’s ballot and posting it online is at all linked to vote buying or voter intimidation, says the First Circuit, so a New Hampshire law prohibiting ballot selfies in order to prevent such ills does not satisfy intermediate scrutiny. (One plaintiff, upon learning the authorities were investigating ballot-selfie takers, posted his selfie with a message: “Come at me, bro.”)
• First Circuit: The erratic, threatening behavior of Bangor, Me. man thought to be high on bath salts justified efforts to take him into protective custody. But sitting, kneeling on him for several minutes after he stopped thrashing could be excessive force. His estate can sue the police over his death.
• In 1981, Boston redevelopment officials accepted federal funds to clean up dilapidated pier. Today, officials would like to lease space on the pier to a restaurant/bar. Feds: Sorry, the grant stipulated that the site must remain open for recreational use. First Circuit: And so it must remain, unless the city creates recreational space elsewhere to the feds’ satisfaction.
• NYC undercover officer allegedly fabricates evidence against drug suspect, who spends eight months in jail before being acquitted. Officer: I had probable cause to arrest, so he can’t sue me for fabricating evidence afterward. Second Circuit: No, he can. The jury’s $20,001 award to the suspect stands.
• American Express charges merchants who accept its cards a higher fee than do competing credit-card companies (and uses the extra revenue to fund perks for cardholders). Amex also bars merchants from offering enticements to customers to use competitors’ cards. DOJ: That’s an antitrust violation. Second Circuit: If merchants don’t want to pay the fees, they can just stop accepting Amex.
• Dallas arts patron sells painting (“the Red Rothko”) to financier for $19 million with expectation that the sale will be kept confidential. Three years later, however, the financier auctions the painting for $31 million — and the public learns of the initial sale. Fifth Circuit: The patron’s suit for breach of confidentiality is untenable.
• Perhaps mistaking sound of car backfiring for gunshot, Cleveland police chase vehicle. Ultimately, 13 officers fire 139 shots at the vehicle’s (likely unarmed) occupants, killing them both. Nine white officers sue the city, arguing they were put on desk duty after the shooting for much longer than black officers who killed citizens in other incidents. Sixth Circuit: The district court did not err in dismissing the suit.
• Guilty verdict in Mishawaka, Ind. triple-murder case set aside. At second trial, new prosecutor, who represented suspect granted immunity in exchange for testimony in first trial, gets conviction. Seventh Circuit (en banc): Which didn’t bother the district court, and it didn’t come up on appeal. But the jury should have heard that neighbors claimed to have seen a victim alive after investigators concluded he’d been murdered — at a time when the alleged murderer was in another state. Habeas petition granted.
• The IRS knew full well that Arnold Park, Iowa restaurant owner who broke up her cash deposits into increments of less than $10,000 was not a criminal and that, if she broke the law at all, it was at most a technical violation. Still, the agency attempted to forfeit $32,000 — and only relented when counsel intervened. Is she entitled to attorneys’ fees? The Eighth Circuit says no. This is an IJ case.
• Typically, there is but one guard on duty to monitor 230 inmates at Helena, Okla. state prison with open dormitory-style housing — a state of affairs that lends itself to prisoner-on-prisoner violence. Tenth Circuit: Could be an Eighth Amendment violation.
• Alabama campaign-finance law generally prohibits PACs from making political contributions to other PACs, even if the recipient PAC spends the money on independent political ads. A First Amendment violation? Eleventh Circuit: There’s a circuit split on the issue, but we say no.
• Two sex offenders who live in a homeless encampment may challenge Miami-Dade County, Fla. law barring them from living with 2,500 feet of a school, says the Eleventh Circuit. Plaintiffs sufficiently alleged that the law undermines public safety, so the district court should not have dismissed their Ex Post Facto claims.

West Haven, Conn. officials want to seize retiree Bob McGinnity’s childhood home and give it to a private developer to build a shopping mall. City officials believe the Supreme Court’s widely reviled Kelo v. City of New London decision gives them carte blanche to do whatever they want — even if they’re just doing the bidding of a Texas developer instead of following their own city plans. IJ disagrees — and thinks the Connecticut Supreme Court (and possibly the U.S. Supreme Court) will disagree as well. This week, Bob teamed up with IJ to file a suit to put a stop to this abuse of eminent domain once and for all. Read more here.

So writes Judge Haldane Mayer of the U.S. Court of Appeals for the Federal Circuit, concurring in Friday’s panel majority opinion in Intellectual Ventures, Inc. v. Symantec Corp. I’m swamped right now and can’t go into more detail; I’m also not a patent law expert. But I thought the issue would be very interesting to many readers, so here’s the heart of Mayer’s First Amendment argument — you can also read the rest of the opinion (and the majority and partial dissent), which discuss the patent law issues in more detail:

“The Constitution protects the right to receive information and ideas. . . . This right to receive information and ideas, regardless of their social worth, is fundamental to our free society.” Stanley v. Georgia, 394 U.S. 557, 564 (1969) (citations omitted). Patents, which function as government-sanctioned monopolies, invade core First Amendment rights when they are allowed to obstruct the essential channels of scientific, economic, and political discourse. See United States v. Playboy Entm’t Grp., Inc., 529 U.S. 803, 812 (2000) (“The distinction between laws burdening and laws banning speech is but a matter of degree.”); see also In re Tam, 808 F.3d 1321, 1340 (Fed. Cir. 2015) (en banc) (explaining that the government may impermissibly burden speech “even when it does so indirectly”).

Although the claims at issue here disclose no new technology, they have the potential to disrupt, or even derail, large swaths of online communication. [The “’050 patent”] purports to cover methods of “identifying characteristics of data files,” whereas [the “’142 patent”] broadly claims systems and methods which allow an organization to control internal email distribution. [The “’610 patent”] describes, in sweeping terms, screening a communication for viruses or other harmful content at an intermediary location before delivering it to an addressee. The asserted claims speak in vague, functional language, giving them the elasticity to reach a significant slice of all email traffic. Indeed, the claims of the ’610 patent could reasonably be read to cover most methods of screening for harmful content while data is being transmitted over a network.

Suppression of free speech is no less pernicious because it occurs in the digital, rather than the physical, realm. . . . Essential First Amendment freedoms are abridged when the Patent and Trademark Office (“PTO”) is permitted to balkanize the Internet, granting patent owners the right to exact heavy taxes on widely-used conduits for online expression.

Like all congressional powers, the power to issue patents and copyrights is circumscribed by the First Amendment. In the copyright context, the law has developed “built-in First Amendment accommodations.” Specifically, copyright law “distinguishes between ideas and expression and makes only the latter eligible for copyright protection.” It also applies a “fair use” defense, permitting members of “the public to use not only facts and ideas contained in a copyrighted work, but also expression itself in certain circumstances.”

Just as the idea/expression dichotomy and the fair use defense serve to keep copyright protection from abridging free speech rights, restrictions on subject matter eligibility can be used to keep patent protection within constitutional bounds. Section 101 creates a “patent-free zone” and places within it the indispensable instruments of social, economic, and scientific endeavor. Online communication has become a “basic tool[]” of modern life, driving innovation and supplying a widely-used platform for political dialogue. Section 101, if properly applied, can preserve the Internet’s open architecture and weed out those patents that chill political expression and impermissibly obstruct the marketplace of ideas.

As both the Supreme Court and this court have recognized, section 101 imposes “a threshold test,” one that must be satisfied before a court can proceed to consider subordinate validity issues such as non-obviousness under 35 U.S.C. § 103 or adequate written description under 35 U.S.C. § 112. Indeed, if claimed subject matter is not even eligible for patent protection, any pronouncement on whether it is novel or adequately supported by the written description constitutes an impermissible advisory opinion.

The public has a “paramount interest in seeing that patent monopolies . . . are kept within their legitimate scope.” Nowhere is that interest more compelling than in the context of claims that threaten fundamental First Amendment freedoms. “As the most participatory form of mass speech yet developed, the Internet deserves the highest protection from governmental intrusion.” A robust application of section 101 at the outset of litigation will ensure that the essential channels of online communication remain “free to all men and reserved exclusively to none.”

So the Massachusetts Supreme Judicial Court held Tuesday in Commonwealth v. Bigelow (some paragraph breaks added):

It is true that the letters were sent to Michael [Bigelow] at his home, a location where the homeowner’s privacy is itself entitled to constitutional protection. Cf. Rowan v. United States Post Office Dep’t (1970). But Michael was an elected town official, and as Michael himself testified, receiving mail from disgruntled constituents is usual for a politician. A person “who decides to seek governmental office must accept certain necessary consequences of that involvement in public affairs … [and] runs the risk of closer public scrutiny than might otherwise be the case.”

Here, given Michael’s status as a selectman and the content of the letters, it cannot be said that Michael’s “substantial privacy interests [were] invaded in an essentially intolerable manner.” Cohen v. California (1971). See State v. Drahota (Neb. 2010) (defendant’s abusive, outrageous, electronic mail messages to former professor running for State elective office, insofar as they did not qualify as fighting words, were protected speech not subject to criminal punishment under disturbing peace statute despite professor’s previous instruction not to send further messages). See also United States v. Popa (D.C. Cir. 1999) (defendant’s seven anonymous telephone messages left on United States Attorney’s office telephone, containing racial epithets directed at United States Attorney and complaints about abusive police officers, constituted protected speech directed at public official; statute punishing anonymous telephone calls made with intent to annoy, abuse, threaten or harass held unconstitutional as applied to defendant, requiring reversal of conviction); State v. Fratzke (Iowa 1989) (First Amendment precluded defendant from being punished under criminal harassment statute for offensive, profane letter written to State trooper to protest speeding ticket where no “fighting words” were included). Contrast Hott v. State (Ind. Ct. App. 1980) (upholding defendant’s conviction of making indecent telephone call based on vulgar calls made to police chief and prosecuting attorney at their respective homes late at night to complain about police sergeant).

Conceding that the letters contain protected political speech, the Commonwealth urges that, as in Commonwealth v. Johnson (2014), the defendant’s speech was integral to a larger course of harassing conduct directed at Michael that caused Michael serious and reasonable alarm. The argument fails…. [I]n Johnson, … the defendants used their speech intentionally to initiate and carry out a plan of harassment of the victims through the conduct of (many) third parties. Here, however, the defendant’s speech did not initiate or carry out any separate conduct that could be deemed harassing or illegal for an independent reason (i.e., a separate crime). The only conduct of the defendant’s at issue is his writing and mailing the anonymous letters; as previously indicated, there was no evidence that the defendant’s letters caused any other person to undertake any type of action in relation to Michael….

The defendant’s speech directed at Susan [Bigelow], fairly considered, was not an expression of political views about a public official but rather a series of offensive personal comments about her and her husband Michael. But the fact that the speech may not be categorically protected as political speech does not mean that it therefore automatically qualifies as constitutionally unprotected speech. Given this court’s interpretation of § 43A [the Massachusetts criminal harassment statute] and its underlying legislative intent, however, the speech must fit in a category of unprotected speech if the defendant’s conviction of criminally harassing Susan based on the contents of his speech is to stand….

True threats represent a category of unprotected speech that our cases have noted is relevant to criminal harassment as defined and proscribed by § 43A…. [V]iewed in context, a jury reasonably could conclude that the defendant’s speech directed at Susan that was contained in each of the last three letters qualified as true threats…

[S]ome of the specific comments in the letters, such as Susan’s possible future need to have plastic surgery to change her appearance as a self-protective measure, her current need to move out of their home, provocative warnings to Susan about attending town meetings, and the reference to Michael having burned the home of his first wife with her in it, by themselves could be found to qualify as expressing a danger to Susan’s personal safety, especially in her home.

Furthermore, the text of the letters must be viewed contextually. From Susan’s perspective these letters were three out of a total of five letters written to her by a person who refused to identify himself or herself except as a “concerned citizen,” and were sent at regular, two-to-three week intervals over two months — ceasing, it can be inferred, only after the defendant’s son effectively revealed his father’s identity. The anonymity of the letters made evaluation of the sender’s intent impossible, and therefore could be found to have greatly increased the letters’ potential to instill in Susan a fear of future harm, including physical harm, being visited on her in her home…. The repetitive mailing of anonymous letters to Susan’s home — indicating, obviously, that the sender knew where she lived — could reasonably be found by a jury as supporting and indeed amplifying the message of threat to Susan’s personal safety that the three letters contained….

[T]he failure to instruct the jury that where the complaint is based on incidents of pure speech, they must find the defendant’s challenged speech constituted a true threat — and therefore was constitutionally unprotected speech — created a substantial risk of a miscarriage of justice. The defendant is entitled to a new trial on the count of the complaint alleging criminal harassment of Susan, a trial at the conclusion of which the jury are to be instructed on the unprotected character of speech that they must find the Commonwealth to have proved beyond a reasonable doubt, along with all the elements of the offense in order for the jury to find the defendant guilty of criminal harassment.

Three of the seven justices dissented, arguing that the letters to Susan Bigelow weren’t properly seen as true threats, though they also would have concluded that some protected speech that doesn’t qualify as true threats may nonetheless be punished by the stalking ban, because

The requirement of the criminal harassment statute that speech be “directed at” one victim, on at least three occasions, removes the majority of protected speech from the statute’s reach, and ensures, in the plain language of the statute, that § 43A will not apply to any speaker who disseminates a political, religious, or other protected message to a general audience, albeit that the message contains vulgar, offensive, or disturbing speech.

You’ve probably heard of “brain training exercises” – puzzles, tasks and drills which claim to keep you mentally agile. Maybe, especially if you’re an older person, you’ve even bought the book, or the app, in the hope of staving off mental decline. The idea of brain training has widespread currency, but is that due to science, or empty marketing?

Now a major new review, published in Psychology in the Public Interest, sets out to systematically examine the evidence for brain training. The results should give you pause before spending any of your time and money on brain training, but they also highlight what happens when research and commerce become entangled.

The review team, led by Dan Simons of the University of Illinois, set out to inspect all the literature which brain training companies cited in their promotional material – in effect, taking them at their word, with the rationale that the best evidence in support of brain training exercises would be that cited by the companies promoting them.

The chairman says it works

A major finding of the review is the poverty of the supporting evidence for these supposedly scientific exercises. Simons’ team found that half of the brain training companies that promoted their products as being scientifically validated didn’t cite any peer-reviewed journal articles, relying instead on things like testimonials from scientists (including the company founders). Of the companies which did cite evidence for brain training, many cited general research on neuroplasticity, but nothing directly relevant to the effectiveness of what they promote.

The key issue for claims around brain training is that practising these exercises will help you in general, or on unrelated tasks. Nobody doubts that practising a crossword will help you get better at crosswords, but will it improve your memory, your IQ or your ability to skim read email? Such effects are called transfer effects, and so called “far transfer” (transfer to a very different task than that trained) is the ultimate goal of brain training studies. What we know about transfer effect is reviewed in Simons’ paper.

As well as trawling the company websites, the reviewers inspected a list provided by an industry group (Cognitive Training Data of some 132 scientific papers claiming to support the efficacy of brain training. Of these, 106 reported new data (rather than being reviews themselves). Of those 106, 71 used a proper control group, so that the effects of the brain training could be isolated. Of those 71, only 49 had so called “active control” group, in which the control participants actually did something rather than being ignored by the the researchers. (An active control is important if you want to distinguish the benefit of your treatment from the benefits of expectation or responding to researchers’ attentions.) Of these 49, about half of the results came from just six studies.

Overall, the reviewers conclude, no study which is cited in support of brain training products meets the gold standard for best research practises, and few even approached the standard of a good randomised control trial (although note their cut off for considering papers missed this paper from late last year).

A bit premature

The implications, they argue, are that claims for general benefits of brain training are premature. There’s excellent evidence for benefits of training specific to the task trained on, they conclude, less evidence for enhancement on closely related tasks and little evidence that brain training enhances performance on distantly related tasks or everyday cognitive performance.

The flaws in the studies supporting the benefits of brain training aren’t unique to the study of brain training. Good research is hard and all studies have flaws. Assembling convincing evidence for a treatment takes years, with evidence required from multiple studies and from different types of studies. Indeed, it may yet be that some kind of cognitive training can be shown to have the general benefits that are hoped for from existing brain training exercises. What this review shows is not that brain training can’t work, merely that promotion of brain training exercises is – at the very least – premature based on the current scientific evidence.

Yet in a 2014 survey of US adults, over 50% had heard of brain training exercises and showed some credence to their performance enhancing powers. Even the name “brain training”, the authors of the review admit, is a concession to marketing – this is how people know these exercises, despite their development having little to do with the brain directly.

The widespread currency of brain training isn’t because of overwhelming evidence of benefits from neuroscience and psychological science, as the review shows, but it does rely on the appearance of being scientifically supported. The billion-dollar market in brain training is parasitic on the credibility of neuroscience and psychology. It also taps into our lazy desire to address complex problems with simple, purchasable, solutions (something written about at length by Ben Goldacre in his book Bad Science).

The Simons review ends with recommendations for researchers into brain training, and for journalists reporting on the topic. My favourite was their emphasis that any treatment needs to be considered for its costs, as well as its benefits. By this standard there is no commercial brain training product which has been shown to have greater benefits than something you can do for free. Also important is the opportunity cost: what could you be doing in the time you invest in brain training? The reviewers deliberately decided to focus on brain training, so they didn’t cover the proven and widespread benefits of exercise for mental function, but I’m happy to tell you now that a brisk walk round the park with a friend is not only free, and not only more fun, but has better scientific support for its cognitive-enhancing powers than all the brain training products which are commercially available.

Tom Stafford, Lecturer in Psychology and Cognitive Science, University of Sheffield

This article was originally published on The Conversation. Read the original article.

The source code that powers the “Internet of Things” (IoT) botnet responsible for launching the historically large distributed denial-of-service (DDoS) attack against KrebsOnSecurity last month has been publicly released, virtually guaranteeing that the Internet will soon be flooded with attacks from many new botnets powered by insecure routers, IP cameras, digital video recorders and other easily hackable devices.

The leak of the source code was announced Friday on the English-language hacking community Hackforums. The malware, dubbed “Mirai,” spreads to vulnerable devices by continuously scanning the Internet for IoT systems protected by factory default or hard-coded usernames and passwords.

The Hackforums post that includes links to the Mirai source code.

Vulnerable devices are then seeded with malicious software that turns them into “bots,” forcing them to report to a central control server that can be used as a staging ground for launching powerful DDoS attacks designed to knock Web sites offline.

The Hackforums user who released the code, using the nickname “Anna-senpai,” told forum members the source code was being released in response to increased scrutiny from the security industry.

“When I first go in DDoS industry, I wasn’t planning on staying in it long,” Anna-senpai wrote. “I made my money, there’s lots of eyes looking at IOT now, so it’s time to GTFO [link added]. So today, I have an amazing release for you. With Mirai, I usually pull max 380k bots from telnet alone. However, after the Kreb [sic] DDoS, ISPs been slowly shutting down and cleaning up their act. Today, max pull is about 300k bots, and dropping.”

Sources tell KrebsOnSecurity that Mirai is one of at least two malware families that are currently being used to quickly assemble very large IoT-based DDoS armies. The other dominant strain of IoT malware, dubbed “Bashlight,” functions similarly to Mirai in that it also infects systems via default usernames and passwords on IoT devices.

According to research from security firm Level3 Communications, the Bashlight botnet currently is responsible for enslaving nearly a million IoT devices and is in direct competition with botnets based on Mirai.

“Both [are] going after the same IoT device exposure and, in a lot of cases, the same devices,” said Dale Drew, Level3’s chief security officer.

Infected systems can be cleaned up by simply rebooting them — thus wiping the malicious code from memory. But experts say there is so much constant scanning going on for vulnerable systems that vulnerable IoT devices can be re-infected within minutes of a reboot. Only changing the default password protects them from rapidly being reinfected on reboot.

In the days since the record 620 Gbps DDoS on KrebsOnSecurity.com, this author has been able to confirm that the attack was launched by a Mirai botnet. As I wrote last month, preliminary analysis of the attack traffic suggested that perhaps the biggest chunk of the attack came in the form of traffic designed to look like it was generic routing encapsulation (GRE) data packets, a communication protocol used to establish a direct, point-to-point connection between network nodes. GRE lets two peers share data they wouldn’t be able to share over the public network itself.

One security expert who asked to remain anonymous said he examined the Mirai source code following its publication online and confirmed that it includes a section responsible for coordinating GRE attacks.

It’s an open question why anna-senpai released the source code for Mirai, but it’s unlikely to have been an altruistic gesture: Miscreants who develop malicious software often dump their source code publicly when law enforcement investigators and security firms start sniffing around a little too close to home. Publishing the code online for all to see and download ensures that the code’s original authors aren’t the only ones found possessing it if and when the authorities come knocking with search warrants.

My guess is that (if it’s not already happening) there will soon be many Internet users complaining to their ISPs about slow Internet speeds as a result of hacked IoT devices on their network hogging all the bandwidth. On the bright side, if that happens it may help to lessen the number of vulnerable systems.

On the not-so-cheerful side, there are plenty of new, default-insecure IoT devices being plugged into the Internet each day. Gartner Inc. forecasts that 6.4 billion connected things will be in use worldwide in 2016, up 30 percent from 2015, and will reach 20.8 billion by 2020. In 2016, 5.5 million new things will get connected each day, Gartner estimates.

For more on what we can and must do about the dawning IoT nightmare, see the second half of this week’s story, The Democratization of Censorship. In the meantime, this post from Sucuri Inc. points to some of the hardware makers whose default-insecure products are powering this IoT mess.

There's a new French credit card where the CVV code changes every hour.

Every few years, a researcher replicates a security study by littering USB sticks around an organization's grounds and waiting to see how many people pick them up and plug them in, causing the autorun function to install innocuous malware on their computers. These studies are great for making security professionals feel superior. The researchers get to demonstrate their security expertise and use the results as "teachable moments" for others. "If only everyone was more security aware and had more security training," they say, "the Internet would be a much safer place."

Enough of that. The problem isn't the users: it's that we've designed our computer systems' security so badly that we demand the user do all of these counterintuitive things. Why can't users choose easy-to-remember passwords? Why can't they click on links in emails with wild abandon? Why can't they plug a USB stick into a computer without facing a myriad of viruses? Why are we trying to fix the user instead of solving the underlying security problem?

Traditionally, we've thought about security and usability as a trade-off: a more secure system is less functional and more annoying, and a more capable, flexible, and powerful system is less secure. This "either/or" thinking results in systems that are neither usable nor secure.

Our industry is littered with examples. First: security warnings. Despite researchers' good intentions, these warnings just inure people to them. I've read dozens of studies about how to get people to pay attention to security warnings. We can tweak their wording, highlight them in red, and jiggle them on the screen, but nothing works because users know the warnings are invariably meaningless. They don't see "the certificate has expired; are you sure you want to go to this webpage?" They see, "I'm an annoying message preventing you from reading a webpage. Click here to get rid of me."

Next: passwords. It makes no sense to force users to generate passwords for websites they only log in to once or twice a year. Users realize this: they store those passwords in their browsers, or they never even bother trying to remember them, using the "I forgot my password" link as a way to bypass the system completely -- ­effectively falling back on the security of their e-mail account.

And finally: phishing links. Users are free to click around the Web until they encounter a link to a phishing website. Then everyone wants to know how to train the user not to click on suspicious links. But you can't train users not to click on links when you've spent the past two decades teaching them that links are there to be clicked.

We must stop trying to fix the user to achieve security. We'll never get there, and research toward those goals just obscures the real problems. Usable security does not mean "getting people to do what we want." It means creating security that works, given (or despite) what people do. It means security solutions that deliver on users' security goals without­ -- as the 19th-century Dutch cryptographer Auguste Kerckhoffs aptly put it­ -- "stress of mind, or knowledge of a long series of rules."

I've been saying this for years. Security usability guru (and one of the guest editors of this issue) M. Angela Sasse has been saying it even longer. People -- ­and developers -- ­are finally starting to listen. Many security updates happen automatically so users don't have to remember to manually update their systems. Opening a Word or Excel document inside Google Docs isolates it from the user's system so they don't have to worry about embedded malware. And programs can run in sandboxes that don't compromise the entire computer. We've come a long way, but we have a lot further to go.

"Blame the victim" thinking is older than the Internet, of course. But that doesn't make it right. We owe it to our users to make the Information Age a safe place for everyone -- ­not just those with "security awareness."

This essay previously appeared in the Sep/Oct issue of IEEE Security & Privacy.

wanderthewood:

Skellig Islands, Kerry, Ireland by -Terrier-

I like this Amtrak security awareness campaign. Especially the use of my term "security theater."

Source: The Economist

The post World’s Largest Companies: 2016 vs 2006 appeared first on The Big Picture.

The big question with body cameras: Who controls the footage? Source: Vox

The post Surprising Outcomes from Police Body Cameras appeared first on The Big Picture.

fuckinmiki:

Flooded crypt of Winchester Cathedral

A calm space under Winchester Cathedral - Antony Gormley’s statue
Photograph:Tycho1234/GuardianWitness

On Friday, I wrote about an amicus brief, for me and 54 other antitrust and competition policy scholars, that I wrote in Teladoc v. Texas Medical Board, a Fifth Circuit case involving the antitrust state-action immunity doctrine.

For a summary of the argument, see that post, but here’s an even shorter background: the Texas Medical Board wants to regulate telehealth providers; one such provider, Teladoc, sued the Board under federal antitrust law, arguing that the rule the Board promulgated was anticompetitive; and the Board claimed that it was immune from federal antitrust law as a state agency. Agencies composed of market participants need to be actively supervised by the state if they want to get immunity; so the question here is whether state-court administrative-law judicial review counts as “active supervision” within the meaning of the doctrine.

On Monday, I reproduced Part I of the brief, on “The Problem of Occupational Boards Dominated by Market Participants”. On Tuesday, I reproduced Part II, on why “Texas Administrative-Law Judicial Review Is Not Active Supervision”. Today, I’ll wrap it up, with the two last sections of the brief: “The Features of Texas Law That Supposedly Control Self-Dealing Are Irrelevant to Whether There Is Active Supervision” and “State Sovereignty and Cooperative Federalism Concerns Should Not Affect the Resolution of This Case”.

III. The Features of Texas Law That Supposedly Control Self-Dealing Are Irrelevant to Whether There Is Active Supervision

A. The Board Does Not Argue That These Features Constitute Active Supervision, Merely That They Should Lead to a Weaker Analysis

Despite its view that judicial review is “sufficient” supervision, the Board spends many pages talking about other features of Texas law. For instance, the fact that Board members are appointed by, and may be removed by, the Governor and Senate, and the fact that Board members are specialists from different fields, are supposedly “[f]eatures of the Board’s membership [that] minimize the risk that [the Board] will forego its mandate and act with only a private purpose.” Appellants’ Br. at 38–41. Good-government laws and reporting requirements “further reduce the risk that the Board will shirk its official duties and pursue only private interests.” Id. at 41–45. Later, the Board points to features of legislative oversight that “reinforce[]” or “buttress[]” active supervision, id. at 50–52.

The Board does not argue that these features themselves constitute active supervision. And wisely so: Such an argument would directly contravene the rule of Patrick, 486 U.S. at 102, Ticor, 504 U.S. at 633, and N.C. Dental, 135 S. Ct. at 1112, that active supervision must extend to the specific challenged actions. See id. (“The second Midcal requirement . . . seeks to avoid [the] harm [of private self-dealing] by requiring the State to review and approve interstitial policies made by the entity claiming immunity.”); id. at 1116 (“The supervisor must review the substance of the anticompetitive decision, not merely the procedures followed to produce it; the supervisor must have the power to veto or modify particular decisions to ensure they accord with state policy; and the ‘mere potential for state supervision is not an adequate substitute for a decision by the State.’” (citations omitted) (quoting Ticor, 504 U.S. at 638)); see also 1A Areeda & Hovenkamp, supra, ¶ 226c1, at 185–87 (“Of course, the active supervision must extend to the anticompetitive aspects of challenged conduct.”).

Rather, the Board argues that these features, because they control self-dealing and increase political accountability, should lead this Court to apply the active-supervision requirement less strictly than it otherwise would. See Appellants’ Br. at 41 (arguing that “the necessary degree of active supervision” depends on the “risk that [the Board’s] rulemaking does not pursue state policy,” which is mitigated by “its political accountability and structure”).

The argument of Part II, supra, implies that state judicial review is not active supervision at all, even under a weak standard, because it does not answer whether the merits of the specific Board decision have been actually approved by disinterested officials, it is not de novo, it does not occur before anticompetitive harm is suffered, and it relies on costly litigation by victims. So whether the active-supervision requirement should apply in watered-down form is not important here: The Board should be denied immunity regardless.

Nonetheless, the Board is incorrect that the active-supervision requirement should be watered down, for the following two reasons. First, N.C. Dental did not consider these institutional details relevant—rather, it broadly stressed the anticompetitive dangers posed by market-participant-dominated agencies. Second, a sliding scale of active-supervision analysis based on the estimated risk of self-dealing or extent of political accountability in particular cases would be unadministrable.

B. The N.C. Dental Court’s Reasoning and Holding Do Not Support an Active-Supervision Inquiry That Depends on the Risk of Self-Dealing

1. The Risk of Self-Dealing Only Affects the Threshold Determination of Whether Active Supervision Is Required

In N.C. Dental, the Supreme Court did look to “the risk that active market participants will pursue private interests in restraining trade.” 135 S. Ct. at 1114. But it did not suggest that this risk affected the stringency of the active-supervision requirement. Rather, this risk informed the threshold question whether to require compliance with the active-supervision prong of Midcal at all. Self-interest determines whether a Board needs supervision, not whether it is supervised. And the Board has conceded that it needs supervision, since it is dominated by market participants. Bringing in self-interest at this stage, to determine whether the Board is supervised, would amount to relitigating that issue.

The Board states that required active supervision “is ‘flexible’ and ‘context-dependent,’” and that “[t]hat requires a context-specific assessment” of the risk of self-dealing, Appellant’s Br. at 35 (citing N.C. Dental, 135 S. Ct. at 1116, 1114) (emphasis added). But yoking these statements together with a “[t]hat requires” is misleading. The context-specific assessment of the risk of self-dealing is the reason that Midcal’s active-supervision prong applies at all; assessing the precise degree of self-dealing risk is not part of the inquiry into how much supervision is enough. Moreover, N.C. Dental made clear that, despite the flexible and context-dependent nature of the test, there are a “few constants”: The supervision must be on the merits, must be de novo, and must have actually occurred rather than being merely potential. See N.C. Dental, 135 S. Ct. at 1116. None of those requirements is met here.

Thus, N.C. Dental explained that the actor in Hallie “was an electorally accountable municipality with general regulatory powers and no private price-fixing agenda,” 135 S. Ct. at 1114. The risk of self-dealing was thus low. But that consideration led the Court to exempt municipalities from the active-supervision prong altogether.

Conversely, in N.C. Dental itself, the Board of Dental Examiners was an “agenc[y] controlled by market participants,” which was “more similar to private trade associations vested by States with regulatory authority.” Id. Therefore, that dental board was fully subject to the active-supervision prong—just as if it were a trade association or other private actor.

When the Court talked about self-dealing, it deliberately painted with a broad brush to encompass all market-participant-controlled agencies, because market participation inherently provides “private anticompetitive motives”:

Limits on state-action immunity are most essential when the State seeks to delegate its regulatory power to active market participants, for established ethical standards may blend with private anticompetitive motives in a way difficult even for market participants to discern. Dual allegiances are not always apparent to an actor. In consequence, active market participants cannot be allowed to regulate their own markets free from antitrust accountability.

Id. at 1111. The Court added: “State agencies controlled by active market participants, who possess singularly strong private interests, pose the very risk of self-dealing Midcal’s supervision requirement was created to address.” Id. at 1114.

This is why the risk of self-dealing goes to the threshold question whether the active-supervision prong is required at all, not to how stringently to apply this prong. Market participation leads to (possibly unconscious) “[d]ual allegiances” and “private anticompetitive motives,” id. at 1111, and private parties “may be presumed to be acting primarily on [their] own behalf,” Hallie, 471 U.S. at 45. “Midcal’s supervision rule stems from the recognition that ‘[w]here a private party is engaging in anticompetitive activity, there is a real danger that he is acting to further his own interests, rather than the governmental interests of the State.’” N.C. Dental, 135 S. Ct. at 1112 (quoting Patrick, 486 U.S. at 100). The risk of self-dealing is why supervision is required; but once supervision is required, the only question is whether disinterested officials have actually approved of the merits of the specific anticompetitive policy.

The Supreme Court had the opportunity to introduce further gradations into the active-supervision prong, based on finely grained assessments of the risk of self-dealing for particular agencies, whether the agency officials were appointed or elected, or whether the particular agency was subject to good-government statutes like Public Records Acts and open-meetings laws. But it did not.

Instead, the Supreme Court held—in a sentence helpfully marked The Court holds today—that the same rule obtains for all market-participant-controlled boards: “The Court holds today that a state board on which a controlling number of decisionmakers are active market participants in the occupation the board regulates must satisfy Midcal’s active supervision requirement in order to invoke state-action antitrust immunity.” Id. at 1114. Since the absence of supervision was conceded in N.C. Dental, the Court did not commit itself to whether active supervision is governed by a sliding scale that depends on the precise extent of self-dealing and accountability; but N.C. Dental’s reasoning does not support an approach that depends on these factors.

(The Board cites the Areeda & Hovenkamp treatise to support the sliding scale idea. See Appellants’ Br. at 41 (citing 1A Areeda & Hovenkamp, supra, ¶ 227a, at 221(“[T]he kind of supervision appropriate for a public body, even of the kind involved in Hoover, could well be far less than for an entirely private party.”). But note the “could well” language: This is merely a suggestion of what might be, based on issues left unresolved in Hoover v. Ronwin, 466 U.S. 558 (1984). Moreover, this pre-N.C. Dental language does not suggest that an agency can dispense with the “few constants of active supervision,” 135 S. Ct. at 1116.)

2. Legislative Oversight Likewise Does Not Convert State-Court Judicial Review into Active Supervision

The Board further notes two aspects of legislative oversight: first, the review of rules by a legislative committee; and second, the sunset-review process. The Board does not argue that these constitute active supervision, see Appellants’ Br. at 51 (“[E]ven if this legislative review of proposed rules does not amount to active supervision on its own . . . .”); id. at 52 (similar). But it suggests that legislative oversight nonetheless “buttresses the supervision provided by judicial review,” id. at 51; see also id. at 52 (“reinforces”).

Legislative oversight thus plays a similar role to the other features of Texas law discussed above: In the Board’s view, it can bolster an otherwise insufficient supervision regime.

But this purported oversight does not help the Board’s case. A particular rule might never be scrutinized by a committee, because committees have other things on their agenda. If a committee does nothing, the rule goes into effect; committee review is thus “mere potential” review and looks like the “negative option” disapproved in Ticor, see 504 U.S. at 638. In fact, it is even worse than the negative option: Even if these committees act (perhaps long after anticompetitive harm is suffered), their only power is to “send to a state agency a statement supporting or opposing adoption of a proposed rule,” Tex. Gov’t Code § 2001.032(c), and even then a committee’s view is not that of the State as a whole.

As for sunset review, the Board’s last sunset review was in 2005 (before these rules were adopted), and the next one will be in 2017—after anticompetitive harm will have been suffered. Moreover, sunset review only reviews the enabling statute, not the agency’s regulations or interpretations. This, too, is “mere potential” review at best.

The Board cites no authority for combining individually insufficient features. But regardless, every feature here is so weak that their sum still does not answer the question relevant to state-action immunity: whether the merits of the Board’s specific anticompetitive actions have actually been approved by disinterested officials.

C. A Sliding Scale of Active-Supervision Scrutiny Depending on the Risk of Self-Dealing Would Be Unadministrable

It is true that there is no one-size-fits-all approach to active supervision; the inquiry is “flexible” and “context-dependent.” N.C. Dental, 135 S. Ct. at 1116. But the analysis is not therefore different for different types of market-participant-dominated agencies. (The antitrust Rule of Reason and the negligence rule of tort law are flexible and context-dependent, but this does not mean that there are different rules for different entities.) An inquiry that depended on the risk of self-dealing and extent of accountability in every case would be unadministrable. Moreover, it would increase uncertainty for state officials, who would not easily be able to determine whether a particular supervisory regime would be sufficient to avoid treble damages.

A uniform approach is a boon to practitioners and judges. It means that when a court hands down a decision holding whether a particular type of supervision is sufficient, that decision becomes useful precedent. But if the stringency of the active-supervision inquiry depends on the agency-specific risks of self-dealing, every agency in every State is potentially unique, depending on the details of oaths, appointment and removal provisions, state APAs, and the stringency of judicial review. Every precedent will be of limited value, and every case will require sifting through a mass of cases that are not entirely on point and, to some extent, evaluating every agency’s institutional constraints de novo.

The judiciary is ill-suited to estimating these fine gradations of risks of self-dealing. It is for similar reasons that the Supreme Court, in City of Columbia v. Omni Outdoor Advertising, Inc., 499 U.S. 365, 374–78 & n.5 (1991), rejected a “conspiracy” or “corruption” exception to state-action immunity. See also N.C. Dental, 135 S. Ct. at 1113 (calling such an exception “vague and unworkable”). This is also why antitrust doctrine has carved out areas of per se illegality and of “quick look” review, see, e.g., NCAA v. Bd. of Regents of Univ. of Okla., 468 U.S. 85, 109–10 & n.39 (1984); Cal. Dental Ass’n v. FTC, 526 U.S. 756, 770 (1999): Always requiring a full-blown Rule of Reason analysis would be overwhelming, even if theoretically more accurate.

Thus, there are strong administrability reasons to treat the active-supervision requirement as applying equally to all actors subject to the second prong of Midcal.

IV. State Sovereignty and Cooperative Federalism Concerns Should Not Affect the Resolution of This Case

Finally, the Board argues that immunity is necessary to maintain state sovereignty and cooperative federalism. Appellants’ Br. at 52–54. It is true that denying immunity affects the organization of state government. But this has always been implicit in state-action immunity.

Parker immunity is based on the notion that “an unexpressed purpose to nullify a state’s control over its officers and agents is not lightly to be attributed to Congress.” Parker, 317 U.S. at 351. Midcal recognized that “immunity for state regulatory programs is grounded in our federal structure.” Midcal, 445 U.S. at 103. N.C. Dental, even while denying immunity to a state agency, recognized that “[t]he Sherman Act protects competition while also respecting federalism.” 135 S. Ct. at 1117.

Parker and Midcal have always represented a compromise between state autonomy and federal supremacy. Because the Court already considered both federalism and antitrust values in Midcal and N.C. Dental, one should not take federalism into account again in individual cases. If one does not also simultaneously take antitrust (and federal supremacy) values into account in every case, the exercise is biased and therefore unfaithful to Midcal and N.C. Dental; but if one does consider antitrust values together with federalism values, one is merely replicating the Midcal and N.C. Dental inquiry, and the nature of precedent demands that one simply apply Midcal and N.C. Dental as straightforwardly as possible.

V. Conclusion

Therefore, the Board should be denied state-action immunity.

Remember the San Bernardino killer's iPhone, and how the FBI maintained that they couldn't get the encryption key without Apple providing them with a universal backdoor? Many of us computer-security experts said that they were wrong, and there were several possible techniques they could use. One of them was manually removing the flash chip from the phone, extracting the memory, and then running a brute-force attack without worrying about the phone deleting the key.

The FBI said it was impossible. We all said they were wrong. Now, Sergei Skorobogatov has proved them wrong. Here's his paper:

Abstract: This paper is a short summary of a real world mirroring attack on the Apple iPhone 5c passcode retry counter under iOS 9. This was achieved by desoldering the NAND Flash chip of a sample phone in order to physically access its connection to the SoC and partially reverse engineering its proprietary bus protocol. The process does not require any expensive and sophisticated equipment. All needed parts are low cost and were obtained from local electronics distributors. By using the described and successful hardware mirroring process it was possible to bypass the limit on passcode retry attempts. This is the first public demonstration of the working prototype and the real hardware mirroring process for iPhone 5c. Although the process can be improved, it is still a successful proof-of-concept project. Knowledge of the possibility of mirroring will definitely help in designing systems with better protection. Also some reliability issues related to the NAND memory allocation in iPhone 5c are revealed. Some future research directions are outlined in this paper and several possible countermeasures are suggested. We show that claims that iPhone 5c NAND mirroring was infeasible were ill-advised.

Susan Landau explains why this is important:

The moral of the story? It's not, as the FBI has been requesting, a bill to make it easier to access encrypted communications, as in the proposed revised Burr-Feinstein bill. Such "solutions" would make us less secure, not more so. Instead we need to increase law enforcement's capabilities to handle encrypted communications and devices. This will also take more funding as well as redirection of efforts. Increased security of our devices and simultaneous increased capabilities of law enforcement are the only sensible approach to a world where securing the bits, whether of health data, financial information, or private emails, has become of paramount importance.

Or: The FBI needs computer-security expertise, not backdoors.

Patrick Ball writes about the dangers of backdoors.

In the past few years, the devastating effects of hackers breaking into an organization's network, stealing confidential data, and publishing everything have been made clear. It happened to the Democratic National Committee, to Sony, to the National Security Agency, to the cyber-arms weapons manufacturer Hacking Team, to the online adultery site Ashley Madison, and to the Panamanian tax-evasion law firm Mossack Fonseca.

This style of attack is known as organizational doxing. The hackers, in some cases individuals and in others nation-states, are out to make political points by revealing proprietary, secret, and sometimes incriminating information. And the documents they leak do that, airing the organizations' embarrassments for everyone to see.

In all of these instances, the documents were real: the email conversations, still-secret product details, strategy documents, salary information, and everything else. But what if hackers were to alter documents before releasing them? This is the next step in organizational doxing­ -- and the effects can be much worse.

It's one thing to have all of your dirty laundry aired in public for everyone to see. It's another thing entirely for someone to throw in a few choice items that aren't real.

Recently, Russia has started using forged documents as part of broader disinformation campaigns, particularly in relation to Sweden's entering of a military partnership with NATO, and Russia's invasion of Ukraine.

Forging thousands -- or more -- documents is difficult to pull off, but slipping a single forgery in an actual cache is much easier. The attack could be something subtle. Maybe a country that anonymously publishes another country's diplomatic cables wants to influence yet a third country, so adds some particularly egregious conversations about that third country. Or the next hacker who steals and publishes email from climate change researchers invents a bunch of over-the-top messages to make his political point even stronger. Or it could be personal: someone dumping email from thousands of users making changes in those by a friend, relative, or lover.

Imagine trying to explain to the press, eager to publish the worst of the details in the documents, that everything is accurate except this particular email. Or that particular memo. That the salary document is correct except that one entry. Or that the secret customer list posted up on WikiLeaks is correct except that there's one inaccurate addition. It would be impossible. Who would believe you? No one. And you couldn't prove it.

It has long been easy to forge documents on the Internet. It's easy to create new ones, and modify old ones. It's easy to change things like a document's creation date, or a photograph's location information. With a little more work, pdf files and images can be altered. These changes will be undetectable. In many ways, it's surprising that this kind of manipulation hasn't been seen before. My guess is that hackers who leak documents don't have the secondary motives to make the data dumps worse than they already are, and nation-states have just gotten into the document leaking business.

Major newspapers do their best to verify the authenticity of leaked documents they receive from sources. They only publish the ones they know are authentic. The newspapers consult experts, and pay attention to forensics. They have tense conversations with governments, trying to get them to verify secret documents they're not actually allowed to admit even exist. This is only possible because the news outlets have ongoing relationships with the governments, and they care that they get it right. There are lots of instances where neither of these two things are true, and lots of ways to leak documents without any independent verification at all.

No one is talking about this, but everyone needs to be alert to the possibility. Sooner or later, the hackers who steal an organization's data are going to make changes in them before they release them. If these forgeries aren't questioned, the situations of those being hacked could be made worse, or erroneous conclusions could be drawn from the documents. When someone says that a document they have been accused of writing is forged, their arguments at least should be heard.

This essay previously appeared on TheAtlantic.com.

The former head of French SIGINT gave a talk (removed from YouTube) where he talked about a lot of things he probably shouldn't have.

If anyone has 1) a transcript of the talk, or 2) can read the French articles better than I can, I would appreciate details.

EDITED TO ADD (9/13): Better link to the video. Improved translation of the Le Monde article. Summary of points from the first article. English article about the talk.

We've long known that 64 bits is too small for a block cipher these days. That's why new block ciphers like AES have 128-bit, or larger, block sizes. The insecurity of the smaller block is nicely illustrated by a new attack called "Sweet32." It exploits the ability to find block collisions in Internet protocols to decrypt some traffic, even through the attackers never learn the key.

Paper here. Matthew Green has a nice explanation of the attack. And some news articles. Hacker News thread.

Over the past year or two, someone has been probing the defenses of the companies that run critical pieces of the Internet. These probes take the form of precisely calibrated attacks designed to determine exactly how well these companies can defend themselves, and what would be required to take them down. We don't know who is doing this, but it feels like a large nation state. China or Russia would be my first guesses.

First, a little background. If you want to take a network off the Internet, the easiest way to do it is with a distributed denial-of-service attack (DDoS). Like the name says, this is an attack designed to prevent legitimate users from getting to the site. There are subtleties, but basically it means blasting so much data at the site that it's overwhelmed. These attacks are not new: hackers do this to sites they don't like, and criminals have done it as a method of extortion. There is an entire industry, with an arsenal of technologies, devoted to DDoS defense. But largely it's a matter of bandwidth. If the attacker has a bigger fire hose of data than the defender has, the attacker wins.

Recently, some of the major companies that provide the basic infrastructure that makes the Internet work have seen an increase in DDoS attacks against them. Moreover, they have seen a certain profile of attacks. These attacks are significantly larger than the ones they're used to seeing. They last longer. They're more sophisticated. And they look like probing. One week, the attack would start at a particular level of attack and slowly ramp up before stopping. The next week, it would start at that higher point and continue. And so on, along those lines, as if the attacker were looking for the exact point of failure.

The attacks are also configured in such a way as to see what the company's total defenses are. There are many different ways to launch a DDoS attack. The more attack vectors you employ simultaneously, the more different defenses the defender has to counter with. These companies are seeing more attacks using three or four different vectors. This means that the companies have to use everything they've got to defend themselves. They can't hold anything back. They're forced to demonstrate their defense capabilities for the attacker.

I am unable to give details, because these companies spoke with me under condition of anonymity. But this all is consistent with what Verisign is reporting. Verisign is the registrar for many popular top-level Internet domains, like .com and .net. If it goes down, there's a global blackout of all websites and e-mail addresses in the most common top-level domains. Every quarter, Verisign publishes a DDoS trends report. While its publication doesn't have the level of detail I heard from the companies I spoke with, the trends are the same: "in Q2 2016, attacks continued to become more frequent, persistent, and complex."

There's more. One company told me about a variety of probing attacks in addition to the DDoS attacks: testing the ability to manipulate Internet addresses and routes, seeing how long it takes the defenders to respond, and so on. Someone is extensively testing the core defensive capabilities of the companies that provide critical Internet services.

Who would do this? It doesn't seem like something an activist, criminal, or researcher would do. Profiling core infrastructure is common practice in espionage and intelligence gathering. It's not normal for companies to do that. Furthermore, the size and scale of these probes -- and especially their persistence -- points to state actors. It feels like a nation's military cybercommand trying to calibrate its weaponry in the case of cyberwar. It reminds me of the US's Cold War program of flying high-altitude planes over the Soviet Union to force their air-defense systems to turn on, to map their capabilities.

What can we do about this? Nothing, really. We don't know where the attacks come from. The data I see suggests China, an assessment shared by the people I spoke with. On the other hand, it's possible to disguise the country of origin for these sorts of attacks. The NSA, which has more surveillance in the Internet backbone than everyone else combined, probably has a better idea, but unless the US decides to make an international incident over this, we won't see any attribution.

But this is happening. And people should know.

This essay previously appeared on Lawfare.com.

EDITED TO ADD: Slashdot thread.

EDITED TO ADD (9/15): Podcast with me on the topic.

It costs less than $60.

For just a few bucks, you can pick up a USB stick that destroys almost anything that it's plugged into. Laptops, PCs, televisions, photo booths -- you name it.

Once a proof-of-concept, the pocket-sized USB stick now fits in any security tester's repertoire of tools and hacks, says the Hong Kong-based company that developed it. It works like this: when the USB Kill stick is plugged in, it rapidly charges its capacitors from the USB power supply, and then discharges -- all in the matter of seconds.

On unprotected equipment, the device's makers say it will "instantly and permanently disable unprotected hardware".

You might be forgiven for thinking, "Well, why exactly?" The lesson here is simple enough. If a device has an exposed USB port -- such as a copy machine or even an airline entertainment system -- it can be used and abused, not just by a hacker or malicious actor, but also electrical attacks.

Slashdot thread.

Read 6 remaining paragraphs | Comments

Three of the four major candidates for U.S. president have responded to “America’s Top 20 Presidential Science, Engineering, Technology, Health and Environmental Questions.” The nonprofit advocacy group ScienceDebate.org, who has posed questions and called for a scientific debate in each of the past three presidential elections, has posted their responses online. Hillary Clinton, Donald Trump and Jill Stein had all responded, with no responses yet from Gary Johnson.

A few responses between the two leading candidates are notable:

Question 3 focuses on climate change:

• Clinton begins with: “When it comes to climate change, the science is crystal clear. Climate change is an urgent threat and a defining challenge of our time and its impacts are already being felt at home and around the world.”
• Trump says: “There is still much that needs to be investigated in the field of ‘climate change.’ “

Question 5 is about the Internet:

• Clinton remarks: “The next President will be confronted with these challenges, and will need common sense approaches to balance cybersecurity with personal privacy. The next president must be able to thoughtfully address these nuanced issues.”
• Trump says: “The United States government should not spy on its own citizens. That will not happen in a Trump administration.” Umm, really? Never?

Question 9 asks about federal investment to address emerging diseases and other public health threats, such as antibiotic-resistant superbugs:

• Clinton says, among other things: “I will create a Public Health Rapid Response Fund, with consistent, year-to-year budgets, to better enable the Centers for Disease Control, the U.S. Department of Health and Human Services, the Federal Emergency Management Agency, state and local public health departments, hospital systems, and other federal agencies to quickly and aggressively respond to major public health crises and pandemics.”
• Trump says: “The implication of the question is that one must provide more resources to research and public health enterprises to make sure we stay ahead of potential health risks. In a time of limited resources, one must ensure that the nation is getting the greatest bang for the buck. We cannot simply throw money at these institutions and assume that the nation will be well served.”

Question 14 asks about streamlining regulations to ensure innovation:

• Clinton says: “It is essential that environmental, health, and energy regulations, among other areas, use the best available science to guide decision-making, and I am committed to making sure that continues.”
• Trump says: “Science will inform our decisions on what regulations to keep, rescind or add. A vibrant, robust free market system will regulate the private sector.”

Overall, the answers seem to track ideological differences — Trump emphasizes market solutions to questions of science and technology, while Clinton emphasizes the role of the federal government in investing in scientific development and technology.

The Clinton responses are specific, with examples and details, while the Trump responses are relatively brief and often vague.

Overall, given the importance of science and technology to national progress, growth and competitiveness, these answers are a valuable read.

Libertarian presidential candidate Gary Johnson.

In a recent interview, Libertarian presidential candidate Gary Johnson said that Kelo v. City of New London is a key case for evaluating potential Supreme Court nominees:

“Would you have any litmus tests for a Supreme Court justice on cases like Kelo, for example, cases that really matter to libertarians, libertarian principles?” Benson asked.

“Yeah I think Kelo is one that really does stand out,” Johnson responded. “Although we don’t have litmus tests, but Kelo really stands out as a litmus test, in my opinion.”

In the same interview, Johnson also repudiated his vice-presidential nominee’s earlier remarks suggesting that the two might appoint justices like Stephen Breyer (who was in the majority in Kelo).

It is unfortunate that Johnson’s statement isn’t entirely clear (he cannot literally both abjure litmus tests, and simultaneously use Kelo “as a litmus test”). But I suspect he means to say that potential nominees positions on Kelo and related issues will be an important criterion for evaluating them, even if it won’t necessarily be completely dispositive by itself.

Kelo is the notorious 2005 decision in which a narrow 5-4 Supreme Court majority ruled that it is permissible for the government to take homes and other property from private individuals, and give it to other private parties in order to promote “economic development.” Although the Fifth Amendment states that the government may only take property for a “public use,” the Court ruled that virtually any potential benefit to public qualifies as such, and that the government does not even have to prove that the supposed benefits will ever actually materialize. In the Kelo case, it didn’t. The site once occupied by fifteen residential properties is today used only by a colony of feral cats.

One of the feral cats that have taken up residence on the land condemned in the Kelo case. (Photo by Jackson Kuhl).

No potential nominee should be judged solely on the basis of a single case. But Johnson is right to emphasize Kelo as an important yardstick – and not just because I happen to have written a book arguing that the Supreme Court made a major mistake in that ruling.

The issue addressed in Kelo is a important one. As a result of Kelo and similar earlier precedents dating back to the 1950s, hundreds of thousands of people have been forcibly displaced from their homes and businesses, most of them poor, politically weak, and racial and ethnic minorities. The Kelo decision is also replete with errors, and unsound from the standpoint of both originalism and leading versions of living constitutionalism.

Potential nominees’ attitudes towards Kelo are also significant for reasons that go beyond the specific issues addressed in the case itself. As a matter of legal logic, the definition of “public use” is distinct from most other issues in constitutional law. But, in practice, judicial nominees who support Kelo are unlikely to give more than minimal protection to other constitutional property rights. Among elite jurists and legal scholars (the kinds of people with a realistic chance of being appointed to the Court), most defenders of Kelo come from the ranks of those who believe that courts should systematically defer to the government in all or most cases involving property rights and other “economic” matters. Some also extend that deferential attitude to a variety of other constitutional rights, as well.

Kelo is also a significant case for those who want originalist judges. With few exceptions, prominent originalist judges and legal scholars tend to be opposed to Kelo. Kelo critics are by no means uniformly originalist. But originalists are overwhelmingly critical of Kelo. As discussed more fully in my book, a wide range of evidence shows that the original meaning of “public use” was restricted to condemnation of property for public infrastructure projects, common carriers and public utilities. It does not permit transfers to private business interests merely on the grounds that they might benefit the local economy in some way. Johnson previously said that he wants to appoint justices who will follow the “original intent” of the Constitution. His statement about Kelo is evidence that he means it.

Johnson’s position Kelo stands in sharp contrast to that of GOP nominee Donald Trump, who is a longtime defender of the ruling, and also a beneficiary of abusive takings, including one where he lobbied Atlantic City to use eminent domain to take an elderly widow’s house so he could build a casino parking lot on the site. Trump says he agrees with Kelo “100%” and has offered a variety of ludicrous arguments claiming that economic development takings are actually beneficial. Even socialist Bernie Sanders has a far better position on Kelo than Trump.

Trump’s defense of Kelo and economic development takings is one of several reasons why he cannot be trusted to appoint justices who will effectively protect important constitutional rights against the government – or ones who care about enforcing the text and original meaning. His election would also likely be a disaster for constitutional originalism. Johnson is a vastly superior choice.

I have some significant differences with Johnson. But it is increasingly clear that he is far preferable to either of the major party nominees, particularly on constitutional issues. Hillary Clinton is a lesser evil than Donald Trump, and voting for a lesser evil is justified if there is no other realistic option. But perhaps Gary Johnson will yet spare us the need to make such a decision. The odds are against him, but not nearly as much as for most third party candidates. I hope to write more about Johnson and his positions in future posts.

There’s a real treat in the sky over the next few nights: Venus and Jupiter will be very close together. How close?

Very, very close. Closest approach (what astronomers call the appulse, but is more colloquially and commonly called a conjunction) will be on Saturday at 22:00 UTC (18:00 Eastern U.S. time), and at that time they’ll be an incredible four arcminutes apart. That’s only one-seventh the width of the full Moon on the sky!^* In fact Jupiter appears half an arc minute across, so Venus will only be about eight times Jupiter’s diameter away!

That’s close. Close enough that they’ll barely be far enough apart to separate by eye. The simulated shot at the top of this post shows the view through a telescope at closest approach; you can see Jupiter, its moons, and Venus all together nice and snug.

Now for the not so great news: The two are only a little over 20° from the Sun, so they’ll be low over the western horizon by the time the sky gets dark after sunset. The good news though is that both are so bright they’re visible even while the sky is still bright, especially in binoculars. If you know where to look you can actually see them when the Sun is up, too! But that’s for folks with some experience; do NOT search for them with binoculars; the Sun is so bright it can physically hurt your eyes if you accidentally glimpse it through them.

The conjunction is cool not just because it’s pretty (and it is). It’s also rare. The planets orbit the Sun, moving at different speeds. They all stay in pretty much the same plane—it’s usually called the plane of the solar system—and we’re in it too, so the planets move more or less along the same path in the sky. But not exactly the same path, so they pass each other at various distances. A close pass is pretty rare and in fact this is the closest any two planets get all year.

It’s also cool because of the physical reality of what you’re seeing. Venus orbits the Sun closer than Earth, and it’s on the other side of the Sun right now. So you’re looking past the Sun (which is 150 million kilometers away from us) to Venus, which is about 230 million kilometers away. Jupiter is a staggering 950 million kilometers away!

What amazes me is that even though Jupiter is more than four times farther away, it still appears three times bigger than Venus. That’s because Jupiter is ridiculously huge, a dozen times the diameter of Venus.

And one other thing. I’ve written about Juno, the spacecraft currently in orbit around Jupiter. It currently takes 53.5 days to go around Jupiter once and is screaming back toward Jupiter right now. On Saturday, the same day as the conjunction, Juno reaches perijove, its closest approach to Jupiter—just 4,000 kilometers above the cloudtops! After that it heads back out, moving away from the giant planet once again. In October, it’ll fire its engine and lower the orbit, moving it into its science orbit.

My friend Emily Lakdawalla at the Planetary Society has written about Juno many times, and describes an amazing video showing Jupiter as seen from the spacecraft as it moved away from Jupiter nearly two months ago. Here’s the video, but go read Emily’s write-up, because (as usual) it’s great.

I love how Jupiter is half full, a view we don’t get from Earth.

But our view this weekend (and really for several days) of Jupiter will be amazing, and that’s a pretty good consolation prize. I hope you have clear skies and an unrestricted view of this wonderful event.

Correction, Aug. 26, 2016: I originally misstated that the separation was one-fifteenth the width of the Moon, but the Moon is 0.5 degrees (or 30 arcminutes) across. Thirty divided by four is roughly 7.

I have been and remain a never-Trumper. Nevertheless, I read conservative (and even the rare libertarian) defenses of Trump that I see on social media with interest. Of course, the most prominent defense of Trump is that he’s Not Hillary. But that’s true of more than 200 million Americans who are eligible to be president, so that’s hardly a rousing endorsement.

Beyond that, I’ve come across two themes that Trump supporters focus on, both directly relating to law.

The first is the future of the Supreme Court. Unlike co-blogger Ilya, I think it’s very likely that Trump would support justices that Federalist Society types would approve of. He just doesn’t know or care much about the judiciary, and therefore is likely to delegate the selection process to underlings who understand how important his issue is to the Republican base (remember Harriet Miers?). So this is a legitimate reason for favoring Trump. I just don’t think it sufficient to justify putting a crude, narcissistic ignoramus in charge of the executive branch of government, free to launch trade wars and real wars and to appoint cronies to the executive branch who will abuse their authority for the greater glory of Trump.

This brings us to the second rationale, that while Trump seems to have authoritarian tendencies and has praised President Obama’s use of executive orders (though not their content), any abuse of executive authority will lead to a massive backlash in the mainstream media, and even from Republicans in Congress. By contrast, to the extent that Hillary Clinton continues to build on President Obama’s lawlessness, the media, favoring Democrats and wishing success for the first woman president, will be as quiescent about her abuses as they have been about Obama’s.

I think that those who believe that Republicans in Congress (and Republicans will likely control the House and Senate if Trump wins the presidency) will serve as a significant check on Trump are dreaming. Whichever party has the presidency, members of that party with very few exceptions defend “their” president. And while it’s hardly encouraging that prominent Clinton supporters think it’s a point in her favor that they expect her to ignore the law to the extent she can get away with it, I expect that the content of her abuses will be similar to Obama’s — mostly pushing a progressive agenda, while I fear that given Trump’s narcissism and thin-skinnedness, he would more likely use the might of the federal government to target critics. I’m hardly sanguine about the results of a Clinton presidency (and I expect I’ll vote for Gary Johnson), but the contrast is between a continued downslide into Third Worldish executive despotism, and a rather predictable headlong leap.

Some interesting data points here: Obama polls better abroad than in the US; Astonishingly, Trump polls below Vladimir Putin . . .

 

Source: Pew Research

The post How Presidential Candidates Are Seen around the World appeared first on The Big Picture.