The Security Catalyst podcast

I recommend Michael Santarcangelo's "Security Catalyst" podcasts, which can be subscribed to at no charge via iTunes or Yahoo Podcasts. He's got additional information and links related to the shows at the Security Catalyst website.

Michael, who I met a few years back through a consulting engagement that was a "death-march project," is a sharp, witty, and well-spoken advocate of and educator for good computer security.

Carrier and Wanchick debate: Argument from Mind-Brain Dysteleology

I've posted a commentary on the exchange between Richard Carrier and Tom Wanchick about this particular argument from Carrier. The post is at the Secular Outpost.

Underground London

Some very interesting photos of old subway lines, former stables, and other semi-abandoned tunnels underneath London. (At BLDGBLOG.)

UPDATE (May 21, 2007): Nick Catford's Subterranea Britannica is the place to go for photos and information about underground sites in Britain.

Coyote Carnival #1

The first Coyote Carnival, a collection of posts from Arizona blogs, may be found here.

Database error causes unbalanced budget

Bruce Schneier reports on how a house in Valparaiso, Indiana was incorrectly valued at $400 million due to a single-keystroke error by an "outside user" of Porter County's appraisal records. This incorrect valuation led to an expectation of $8 million in property taxes due from that homeowner, which led to a erroneous increase of budgets and even distribution of funds. Now the Porter County Treasurer has had to ask 18 governmental units to return funds--the city of Valparaiso and Valparaiso Community School Corp. have been asked to return $2.7 million, which will leave the school system with a $200,000 budget shortfall.

The number of errors here is huge--first of all, an external user shouldn't have access to change budget data at all, let alone by a typo which caused the user to invoke "an assessment program written in 1995" which "is no longer in use, and technology officials did not know it could be accessed." Second, there should have been checks on the data to identify anomalies like a house suddenly jumping in value to $400 million. Third, there should have been checks on the accuracy of budget numbers before the disbursement of funds. And I'm sure I'm only scratching the surface--it sounds like they've got some serious IT infrastructure issues.

RIAA: Burning CDs to MP3s is not fair use

Every three years, the U.S. Copyright Office accepts comments on the Digital Millennium Copyright Act (DMCA) for additional rule-making and exemptions. The Electronic Frontier Foundation (EFF) has given up on participating in the process, which they consider too broken to be worthwhile--consumer interests are simply not taken into consideration.

The RIAA's most recent filing (PDF) in this process shows that they've reversed their position since testifying before the Supreme Court last November in the MGM v. Grokster case, when attorney Don Verrilli stated (PDF, p. 12):

The record companies, my clients, have said, for some time now, and it's been on their website for some time now, that it's perfectly lawful to take a CD that you've purchased, upload it onto your computer, put it onto your iPod.

The RIAA's position in the new filing (PDF, p. 22 footnote 46) is:

Nor does the fact that permission to make a copy in particular circumstances is often or even "routinely" granted, [...] necessarily establish that the copying is a fair use when the copyright owner withholds that authorization. In this regard, the statement attributed to counsel for copyright owners in the Grokster case is simply a statement about authorization, not about fair use.

That is, they are claiming that they've given permission for such use, and have the right to take it away at any time, because it is not a matter of fair use. The filing points out that this is the 2003 position of the Register of Copyrights, who is quoted (p.22):

proponents have not established that space-shifting or platform-shifting is a noninfringing use.

On the same page (22), the filing states:

Similarly, creating a back-up copy of a music CD is not a non-infringing use....

(Somewhat less information may be found at the EFF's blog entry which pointed me to this filing, Deep Links.)

Geddes on net neutrality

Martin Geddes has a nice commentary on the vagueness of "net neutrality" and its implications (I previously commented on the subject here). He divides net neutrality advocates into bottoms, middles, and tops (based on layers, not giving vs. receiving). "Bottomistas" want neutrality on offered underlying protocols and aren't happy just getting IPv4 (or just IPv6), and at the extreme would want a choice between ATM, Ethernet, their own Layer 2 protocol. The "middlemen" distinguish "raw IP" (which backbones carry, or perhaps which ISPs use internally) from "retail IP" (what the end user customer gets), and endorse neutrality on the latter. The "top" are comfortable with the kind of filtering done by many retail ISPs (e.g., port 25 filtering), but oppose filtering directed at particular service providers or applications.

Geddes argues that the Internet isn't really a thing, but a set of agreements between different entities that are each doing their own thing with their own property--and that "Internet Governance" itself doesn't make much sense outside of IP address allocation and routing.

He raises a host of interesting questions, like:

Is neutrality a wholesale or a retail problem? What if the access infrastructure owner offers “neutral” IP connectivity, but no retail provider chooses to pass that on directly to the public without layering on some filtering and price discrimination?

and

Oh, and what’s so special about the Internet? Do other IP-based networks need neutrality principles? Do any networks? Should more network industries be forced to forego “winner takes all” rewards? Google looks awfully dominant at adverts, doesn’t it… I wonder if that ad network needs a bit of “neutrality”?

These are the sorts of issues that need to be considered in formulating any kind of "net neutrality" that can actually be put into a statute or regulatory framework, and it doesn't seem likely to me that it will be easy to come up with one that has broad appeal and doesn't trample on private contract and property rights. I think Geddes may be right when he says neutrality is "an output, not an input."

His post is well worth reading, as is the commentary from Brett Watson.

UPDATE: Geddes has more at Telepocalypse.

New Richard Cheese album

Richard Cheese has released a "best of" album, The Sunny Side of the Moon. I was given a copy yesterday by Cheese's alter-ego, Mark Davis, a former Phoenician who I've known since grade school but hadn't seen in person for a few years. I've listened to most of the tracks (and have all of his other albums, Lounge Against the Machine, Tuxicity, I'd Like A Virgin, and Aperitif for Destruction), and it's a better deal than most "best of" albums. There's the standard bonus track not found elsewhere, but there are also several new "big band" re-recordings (completely new versions) and a couple of remixes. And it sounds like he may be doing some shows again in the near future.

Mark has another project in the works, Revolution Central, but he hasn't been able to spend much time on it lately, so there's still a lot of those annoying "coming soon"-type pages.

The Secret FISA Court

Via Steve's No Direction Home Page:

Apparently presidential wiretapping is frowned upon--when it's done by Clinton.

Some of the reader comments are hilarious, viz.:

"Any chance of Bush rolling some of this back?"

"As quietly as possible (although it sometimes breaks out into the open, usually with the sound of gunfire and the death of innocents), a "shadow government" has been set up all around us my friend. It's foundation is not the constitution, but Executive Orders, Presidential Procalamations, Secret Acts, and Emergency Powers."

"This is wherein the danger lies in the precedent set by the Clinton criminal administration. God only knows who will be in power next, but there are no checks and balances anymore. This is exactly the SORT of thing I've been protesting all along. Libs just don't see this!"

UK Terrorism Bill appears to impact ISPs

A "Terrorism" bill in UK Parliament, as amended in the House of Lords on January 25, 2006, looks like it could have considerable impact on ISPs. The first section of the bill, titled "Encouragement of terrorism," makes it a crime to publish a statement or cause another to publish a statement with the intended effect (or with recklessness to the possibility of such an effect) of directly or indirectly encouraging members of the public "to commit, prepare or instigate acts of terrorism or Convention offences." "Indirect encouragement" means "the making of a statement describing terrorism in such a way that the listener would infer that he should emulate it."

The second section of the bill, titled "Dissemination of terrorist publications," is more problematic. It makes it a crime to disseminate terrorist publications "with the intention of directly or indirectly encouraging or inducing the commission, preparation or instigation of acts of terrorism, or of providing information with a view to its use in the commission or preparation of such acts" (or with recklessness to the possibility of such an effect). The definition of "dissemination of terrorist publications" is extremely broad, and includes those who "provide a service to others that enables them to obtain, read, listen to, or look at such a publication, or to acquire it by means of a gift, sale, or loan" and anyone who "transmits the content of such a publication electronically" or "has such a publication in possession with a view to its becoming the subject of conduct" falling within any of the preceding sections (including transmission).

This means that mere possession of such material isn't a crime, but possession with intent to transmit (e.g., hosting or having it in a location shared via P2P) is a crime, as is the transmission itself (if done with intent or recklessness).

The proposed statute provides that someone accused of this crime has an affirmative defense by showing that the material does not express their views and did not have their endorsement and that it was "clear, in all circumstances of the conduct" that those two conditions were met--except in the case of a notification from a constable in section 3 (which applies sections 1 and 2 to "Internet activity").

This notification provision is similar in many respects to the Digital Millennium Copyright Act (DMCA) in the United States--if a constable provides notification to a "relevant person" that he is hosting "terrorist publications," that person has two working days to take down the material, or else it is then deemed to have endorsed the publication (unless they have a "reasonable excuse" for their failure to take it down). Unlike the DMCA, there is no counter-notice provision.

The section about Internet activity doesn't define how the constable determines who to notify, or who is responsible for material located downstream of an ISP. If providers are responsible for anything downstream, then this could force an upstream provider to blackhole a server IP that provides many websites to many customers because of illicit content provided by one person. It's also not clear whether a provider could be held responsible for material that it transmits but does not host--in which case this would force ISPs operating in the UK into acting as managed content filtering service providers for the UK government any time a constable designates online material as a "terrorist publication."

The offense carries a maximum prison sentence of seven years.