Monthly Archives: April 2014

Restaurant Googles its patrons

A restaurant is using Google to gather information about its customers before they arrive. They are doing this in order to provide better service by customizing patrons’ experiences. They will wish someone a happy birthday, match servers with patrons with certain similar interests, etc.

While I can understand trying to provide better service, it’s sort of creepy having someone snoop on you personally. They aren’t necessarily looking at your professional life (although they could use information regarding your career to connect with a patron on a more personal level). They gather and use any information that they can find on the internet about you.

Imagine you sit down to eat, and a server comes up and unexpectedly wishes you a happy birthday. Would you say thank you and feel good that someone took the time to wish you a happy birthday? Or would you wonder, or possibly ask how he/she knew it was your birthday? My reaction would be surprise (not the good kind) and a feeling of violation, possibly disgust (after I confirmed with everyone at my table that they said nothing about it being my birthday).

At what point to we say it’s ok for anyone to know certain information about you and when it’s not ok? I thought a quote from this article stated it pretty well: “most people aren’t too hesitant to give up their personal information, but when it’s used for stuff they aren’t expecting, it feels like a violation.”

Heartbeat request caused a “heartbleed”

heartbleed_logo

What is heatbleed?

cartoon_heartbleed

The Heartbleed Bug defines this bug as “[A] serious vulnerability in the popular OpenSSL cryptographic software library. This weakness allows stealing the information protected, under normal conditions, by the SSL/TLS encryption used to secure the Internet.” A lot of big security experts have called this bug the biggest security issues of the internet to date. It basically allows anyone on the internet to read a chunk of memory that OpenSSL uses to keep your stuff protected. This means your usernames, password, content, and even worst, the key that is used to encrypt all these information can be the object to this attach. If the attacker gets that key, they will then be able to read anything that OpenSSL tries to “hide”. Furthermore, OpenSSL is one of the most widely used encryption tool on the internet.

So all this sounds like a new thing that people usually find out when some hacker hacks a big server. However, this flaw has been around since 2012 and nobody knew about it until about 2 weeks ago when this bug was independently found by Neel Mehta, a Google Security engineer and a group of security engineers at Codenomicon

What did they do?

As far as I know, what they did is to report it to NCSC-FI and the OpenSSL team and somewhat publicized it. This caused all the big server holders such as Facebook, Yahoo, Microsoft, and etc. to solve this issue because now everybody knew about it. Five day after discovery of the bug, a this list was released containing the top 1000 sites and whether they were vulnerable or not. 48 of these websites were still vulnerable at that point of time. Among these vulnerable websites, we can see some of the big server holders such as Yahoo!, stackoverflow, and Flickr!

Ethical issues:

The main question that we can ask here is who to blame here? One answer could be that the people developing the OpenSSL are the people to blame. PCMAG writes about Robin Seggelmann, a programmer who uploaded the code with the heartbeat request feature on Dec 31, 2011. Seggelmann says “I am responsible for the error, because I wrote the code and missed the necessary validation by an oversight. Unfortunately, this mistake also slipped through the review process and therefore made its way into the released version.”

Another question can be who was taking advantage of this bug since it was out there for about two years?
As Bruce Schneier mentions in his blog post “[a]t this point of time, the probability is close to one that every target has had its private keys extracted by multiple intelligence agencies.” Supporting Schneier, Electronic Frontier Foundation (EFF) mentions two stories in this article about how the evidence show the possibilities that an intelligent agency could have been taking advantage of this bug all along.

I think if such thing is true, it is completely unethical to do such thing. This is like a company finding a way to access its employee’s data and instead of fixing the issue, taking advantage of their own employers. What do you think?

Google Encrypts Gmail Between Data Centers

It may be a bit of an older article, but after the privacy unit and especially after the speaker last Tuesday, I thought this article would be a nice addition to the blog.

As a result of Edward Snowden’s NSA leaks, and the discovery that the NSA was collecting data from Google and Yahoo without their knowledge, Google (as of March 20th) announced that Gmail is more secure in an attempt to prevent the government from spying on one’s email activity. While Google” made HTTPS encryption the default for its users back in 2010″, the difference now is that Google now internally encrypts every email message Gmail users send or receive. This method prevents the NSA from intercepting emails while they are in transit.

The desire for internally encrypted emails was not viewed as publicly needed until after the NSA leaks, and undoubtedly, the interception of emails and other metadata was happening before the leaks occurred. Encrypted emails existed prior this, although it was not a default option. Before now, encrypted emails signified sensitive information. With Google’s encryption of emails, the line between sensitive information and casual conversation are now heavily blurred, which leads to my question:

Because there is no initial visible difference between a email that would have previously needed encryption and a casual conversation, might that lead to a greater desire for the NSA to obtain and read all encrypted emails? When does more encryption actually begin to harm privacy?

Privacy and security – Encryption is Not Enough

People believed that cryptography could be strong enough to provide protection, privacy and internet security. However, in all possible ways, protection against power attacks from hackers became like a simple dream that never comes real. Researchers tried their best trying to look for privacy and security solutions, but every trial became impossible until, all sort of computer encryption program, no matter how good it is, cannot prevent an attacker from going through someone’s garbage. Encryption and key management was the only hope for protection, isolation and control of personal data. Encryption was considered as the protection mechanism of last resort. However, it didn’t prevent intelligence security agency from collecting people’s data without their agreement.

Even thought people believed that cryptography could protect them from many threats, some of them were afraid to use what they called a complex system, with a concern that if they lose the key, they lose all of the data forever. According to Security Pitfalls in Cryptography, “A cryptographic system can only be as strong as the encryption algorithms, digital signature algorithms, one-way hash functions, and message authentication codes it relies on. Break any of them, and you’ve broken the system. And just as it’s possible to build a weak structure using strong materials, it’s possible to build a weak cryptographic system using strong algorithms and protocols. However, just because an encryption program works doesn’t mean it is secure. What happens with most products is that someone reads Applied Cryptography, chooses an algorithm and protocol, tests it to make sure it works, and thinks he’s done. He’s not. Functionality does not equal quality, and no amount of beta testing will ever reveal a security flaw.” https://www.schneier.com/essay-028.html

People argued that encryption program can have a secret backdoor, which may be government-mandated, used for convenience in recovery and other administrative functions. Other than government access, the primary hazard is that backdoors are often easily hacked by attackers. It has been proved that if any computer you use to store your encrypted data is infected by spyware, the decrypted data can easily be transmitted to an exploiter over the Internet.

Bruce Schneier said that Cryptography is harder than it looks: “Billions of dollars are spent on computer security, and most of it is wasted on insecure products. After all, weak cryptography looks the same on the shelf as strong cryptography. Two e-mail encryption products may have almost the same user interface, yet one is secure while the other permits eavesdropping. A comparison chart may suggest that two programs have similar features, although one has gaping security holes that the other doesn’t. An experienced cryptographer can tell the difference. So can a thief.” https://www.schneier.com/essay-037.html

40,000 new Laws took effect starting 2012!!

Recently, in our philosophy class we learnt that “breaking the law is one way we might be able to move toward better laws”. This is a matter of people’s choices. When a group of people adopt their own behavior, changing their attitude and breaking laws, there the laws makers will respect their choice and try to regulate them with new laws. The Sodomy laws, surrogate motherhood law, the abortion laws and such kind of laws, all came to help people find themselves involved in a system. However, it’s interesting to know that some laws are conflicting or interfering with the constitutional amendment.

For example let’s take a look at the surrogacy motherhood process. This is an arrangement, whether negotiated privately or through an agency, whereby a woman agrees to become pregnant (sometimes her egg is fertilized artificially with the sperm of the intended father) for the purpose of gestating and delivering a child on behalf of an infertility couple which is in the inability to become pregnant through natural or artificial way. This is a good thing because it is an option for some people to become parents and have their own kids without processing to the adoption. However, too many issues are related to this arrangement. For example the surrogate mother at delivery, may change her mind and refuses to give the baby away, then comes lawyers and the court. The point I wanted to make here is that because surrogacy involves payment to the surrogate mother (taken like a sale of child and Human being are not object for sale), this violate the 13th amendment of the USA constitution (bill of rights) that outlawed slavery and all kind of sale of human being. However, even though surrogacy is conflicting with the constitutions, more than 11 states legalized it .

Recently, lot of new laws took effect, but I am not sure if they were new ones to regulate new behaviors, or if they were just replacing old ones because these old laws were no longer matching people’s desires and attitudes. 2012 have been a more highly regulated year since all 50 state legislatures passed close to 40,000 new laws. Jay McQuade  said, “Unlike our Congress, which had fewer than 60 laws make it to the House and Senate and signed by President Barack Obama, last year was actually a productive one for state lawmakers. The total averages down to 800 new laws per state. The new laws span from gun control to immigration reform to hourly wage adjustments.” http://www.policymic.com/articles/77953/40-000-new-laws-take-effect-across-the-country-today.

The balance of compensation and responsibility relates to distributed computing

Wikipedia defined Distributed computing as “A field of computer science that studies distributed systems. A distributed system is a software system in which components located on networked computers communicate and coordinate their actions by passing messages. The components interact with each other in order to achieve a common goal.”

Distributed computing allows effective use of idle computing resources. BONIC (Berkeley Open Infrastructure for Network Computing)  let scientists use it to create their own volunteer computing project and give them computing power of thousands of volunteer CPUs. The DESCHALL Project we read before is also a typical example.

I think the distribution of benefits (“spoils”) about distributed computing  is worth to talk about. According to the website of BONIC, it’s an unpaid volunteer project, so the research achievements are probably only belong to scientists who post the research projects. As for the DESCHALL project, the originator and the owner of the computer that found the solution share the “achievement” (A $10,000 prize. The owner of the computer that found the solution got $4,000, and the originator got $6,000.) In this case, people who participate in this project but didn’t found the solution didn’t get any compensation. Do you think the distributions of benefits are fair in these two cases?

Consider another case, if there’s a distributed computing project involve in criminal activity such as hacking a bank’s account, should the victims sue people who volunteered to participate in this project and they are neither the originator nor the owner of the computer that found the solution? If we won’t sue these people, it seems like we indulge the accomplices. However, if we sue them, it seems not fair to these people because they will only share the responsibility but won’t share the benefits (based on the two real world cases, these kind of people always don’t have any compensation)

 

BTW, if there’s any grammar mistake or any unclear statement, please let me know. Thanks!

Copyright Battle over Obama Image

I know that we have passed the copyright stuff, but I thought that this was a really interesting article! This happened in second week of January (2009) when Shepard Fairey, who was a street artist and later he became a part of the Obama presidential campaign, made the famous “Hope” poster from the Obama’s Portrait.

As it is said in this BBC news article, Shepard Fairey is being sued for using the AP’s (Associate Press) photograph without their permission.

There is clearly an ethical issue happening here and we can look at the fair use and what we learned and try seeing whether or not his actions were right. I think it is also worth noting that he did not make any money from this poster while being sued for a lot of money.

Is it fair use?

The purpose of the use is for Obama’s presidential campaign. This has nothing to do with the original purpose of the portrait that AP used it. It is also not commercial by any means. (A lot of people made money from selling T-shirts or banners with this image, but not Shepard Fairey).

Nature of use: In my opinion the portrait had no characteristics of its own. It was a very basic portrait of Barack Obama when AP used it. Also, the work was published to public and was publically available. This is simply like the biography of Barack Obama (Which I am assuming you can freely copy and use)

The amount of the work that was copied is somewhat concerning. This is due to the fact that Shepard Fairey used the entire image. However, I think the reason that the poster became famous was because of the effects applied to the image and the word “Hope” underneath the poster.

Shepard’s action did not have any effect on the market that would be towards what AP had published. What AP had published was in 2006 and Shepard used the picture 3 years later.

All in all, I think that Fairey’s action is considered fair use.

It’s worth taking a look at this article from Stanford explaining Measuring Fair Use: The Four Factors

Alternatives to the Password

Most of us know how difficult it can be to remember all of the passwords for all of the different web sites, operating systems, programs, etc. There are programs that will store your usernames and passwords for you so that you don’t have to write them down or memorize them. Currently, I have 90 entries in my password keeper on my phone. But how secure is this program? What if someone hacks into this app? Then they have ALL of my passwords. It’s scary to think about what would happen if someone got hold of my phone and hacked it.
The next wave in computer security will be biometric authentication. We all know that the fingerprint is being used for security (e.g. the iPhone 5S). But there are more biometric authentication identifiers on the way. For one, your heartbeat has electrical signals that are hard to duplicate. Devices like the Fitbit are already on the market, and they detect a person’s heart rhythm. Other personal identifiers include ear shape, the way you walk, and face recognition.
While biometric security seems to be more convenient than memorizing a slew of passwords, there are some negative known, and unknown, consequences. For example, if you use a fingerprint to access some information, you run the risk of someone obtaining this print by means that are not necessarily just invasive to your privacy. According to Wikipedia, “in 2005, Malaysian car thieves cut off the finger of a Mercedes-Benz S-Class owner when attempting to steal the car.”
With any new technology, we need to be prepared for the consequences that we are aware of as well as those that are unanticipated.

Should We Condone ‘Hactivism’?

Since the subject of hacking has come up recently in lecture, I thought it’d be interesting to discuss how some people have used their talents in a way that has us questioning how we think about the word “hacker”. In the last few years we’ve seen an increase in hackers who use their computer skills to expose corruption and to make social commentary on politics, social media, and privacy. One instance, which happened not too long ago, is the Steubenville rape case, where the hack expert group Anonymous leaked videos, texts, and emails, that showed a massive cover up was taking place to protect high school football players accused of sexually assaulting a 16-year-old girl. The work by the hackers eventually led to the charging of the students’ and adults in the situation.

Another well-known hactivist group are a duo based in Milan. Paolo Cirio & Alessandro Ludovico are hackers who call themselves ‘artists’; mainly to get around the legal issues their work entails. In an extremely creative use of hack skill, Cirio developed a schema known as Google Will Eat Itself. The goal of this project was to buy shares of Google and distribute it to the public using Google’s own money. They accomplished this by using bots to click on Google advertisements on a network of hidden websites. They were apparently able to make over $400,000. Another undertaking was the writing of a code and creation of an algorithm that would preview Amazon books repeatedly enough to have previewed a sufficient amount of material to read the entire book. They were then able to put the book together in its entirety and subsequently make the books available to the public. The pair also created face-to-Facebook which scraped Facebook data of a million users and categorized them and then automatically adds them to a custom online dating website. They did this as social commentary on the lack of privacy people who use sites like Facebook have. Another interesting thing the duo did was protest Google street-view by creating real-life replicas of people captured by the cameras. They justified their work by saying that the use of street view was incredibly invasive, and would in essence canonize the people without their permission.

So the questions are should we support hactivists like Anonymous and Cirio & Ludovico? Is their work illegal based on The Computer Fraud and Abuse Act? Would you personally consider their work illegal? Do you think their actions are morally right/wrong according to the rules we learned for judging morally right actions?

XP upgrade/Discontinue of Support

Are you still running XP?

Well if you did not know, Windows will stop supporting windows XP starting from April the 8th. A little back ground on XP. XP started release to the public on October 25th, 2001. It was preceded by Windows 2000 and Windows ME. It was succeeded by Windows Vista. Due to Vista’s terrible public reception, Windows XP was still much liked and used more by the general public until Windows 7 was released.

Windows XP has been a very stable piece of OS for a lot of users for a long time. Even now a lot of Ohio State’s departments still use XP and a lot of companies uses XP. Now is it ethical and fair for Windows to say that they will stop supporting XP? These companies that uses XP might have to update their computers unwilling just because of the stoppage of support.

What if a person has important stored information on their XP computer, but suddenly next thing they know, they have viruses on their computer. What can they do? Maybe they can bring it into a computer shop to take a look at it, but what if It is so broken that the shop can’t fix it, only Windows can. Is it ethical for Windows to say: Well I’m sorry we don’t support XP anymore, your on your own.

What do you guys think?

New Patent Legislation Moving Through Congress

New patent legislation was voted through the House of Representatives last December and is now being considered by the Senate. The last time the patent process was updated was 2011, but that legislation, known as the “America Invents Act,” for the most part fell flat. The biggest change that occurred in 2011 was switching from a first-to-invent system to a first-to-file system.
The new legislation, known as the “Innovation Act,” is meant to end the issue of “Patent Trolls.” Patent Trolls are “companies that buy cheap patents and use them for profit by threatening infringement suits against others in hopes of settling.” The Innovation act includes several changes to the litigation process that will make it harder for patent trolls to file suits indiscriminately.

1) “Require specificity in patent lawsuits” – as the law stands now patent holders are not required to state specifically what is in violation when they file suit, the innovation act would require patent holders to state this.
2) “Make patent ownership more transparent” – Shell companies are a popular means for patent holders to disguise who is actually filing suit. The Innovation Act would require anyone who stands to make a financial gain to be listed by patent holders.
3) “Make losers pay” – The new bill would require losing plaintiff’s to pay winning defendants legal fees. This would remove the fear of legal fees that causes many defendants to settle even in the case when they are right.
4) “Delay discovery to keep costs down” – the new bill delays the point in the trial when defendants would be required to release sensitive internal documents to be used in the trial.
5) “Protect end users” – a popular tactic of patent trolls is to sue end users of product that are in violation of patents. The Innovation act would allow the producers of these products to step in and take part in the lawsuits on their customers behalf

The are many legitimate companies whose business models rely on patents that have spoken out against the new bill, notably Apple, Du Pont, Ford, GE, IBM, Microsoft and Pfizer. The most surprising critics of the bill are several University groups. Universities hold lots of patents from all of the research that they do, and in some instances the tactics that they use to enforce their patents resemble those of patent trolls.

I think that this new legislation looks very promising. Holding patent holders accountable for the litigation that they create should seems like a good idea to reduce frivolous lawsuits. From a utilitarian point of view, this bill would increase the happiness for the consumers and producers that frivolous lawsuits are filed against; the bill would reduce happiness for the relatively small number of “patent trolls” who benefit from these lawsuits.

It’s going down, I’m yelling Tinder!

Now here’s an interesting bit from this week’s news: Tinder, the popular mobile dating app, has suddenly been flooded with non-human user often referred to as bots. These bots seem to have one purpose, first conversing with the user but then they suddenly recommend a game called “Castle Crash”. Furthermore, they link to a “tinderverified.com”, further attempting to trick the user. Afterwards, the bots even hint at giving you their phone number if you beat them.

There are some ethical questions raised here that I would like to consider. For one, is it ethical to have bots masquerading as humans? What about on dating websites? Additionally, does Tinder have a duty to stop spammers?

In my opinion, it is unethical to have bots pretend to be humans. In general, when paired with someone on Tinder, the user expects to be able to have a conversation with a genuine human being. Applying act utilitarianism, this evolution from spam email causes the users and the creators of the service unhappiness, meaning that it is unethical. Additionally, rule utilitarianism has a similar outcome. If everyone used bots to spam each other, there would be less happiness. We could possibly also apply moral rights theory and say that people have a right to know who they are talking to, whose duties would say that you have to be honest about your identity. Following this, the spam is unethical as well.

Considering the question regarding Tinder’s duty to stop spammers, I think this is true. If people are creating misleading links using the Tinder name, this tricks users and could reduce their happiness. Seeing as I’m hinting toward another utilitarian perspective, we could regard Tinder’s action, or rather inaction, as unethical.

I look forward to comments!

US created ‘Cuban Twitter’ to stir unrest

BBC reports that the US government created a phone based, Twitter-like company to be implemented in Cuba.  This application, originally presented to the Cuban people through a guise as “sports news updates,” was based out of Spain and the Cayman Islands to reroute information flow, hiding America’s development and involvement with the project.

After hooking users, the US planned to “introduce political messages in the hope of spurring the network’s users, especially younger Cubans, into dissent from their communist-run government.”

USAID spokesman Matt Herrick said – “That’s how you protect the practitioners and the public.”

It is interesting to note that the government believes it was protecting the rights of Cubans.  Is it freedom of speech if you’ve politically inspired the citizens in a certain direction?  It seems to me like this is a Cuban petrie dish, and American scientists, wanting to instigate freedom of speech, tampered the results by accidentally slipping a strain of American Interests into the experiment.

Herrick also said, “In hostile environments, we often take steps to protect the partners we’re working with on the ground. This is not unique to Cuba.”

Cubans certainly don’t have equal rights to the United States citizens. “Cubans were only permitted to own mobile phones in 2008.”  Just only, “last year, 137 public internet access points have been opened – for the whole island. But one hour online costs $4.50 (£2.70) – or almost a quarter of an average monthly state salary.” These infringements speech rights is troubling.  But, is a country truly liberated if political reform doesn’t come directly from its citizens?

Governments instigating sparks that could lead to coup d’etats sounds very dangerous to me. Think of how Russia invaded Crimea during political unrest, how they sponsored a succession referendum.  What if China saw signs to erode North Korea’s regime, and ‘freed’ its citizens by absorbing the country?

Is it ethical for us to allow our government to do these type of activities?

Food for thought.

Standards of professions in society

Professionals have all different special obligations, and they all have to be registered. However, they are and have been known at different levels. Some are considered to be higher than others, regarding the results of their works or regarding the salaries earned. For example people believe that engineers should not be licensed just because they are not doctoring or lawyering.  Sometimes people think that engineering and Medicine have no defined differences because  lot of Engineers are Doctors, and some students in some parts of engineering majors end up trying to get into Medical school, maybe because that’s the very highly well payed and honored career. However, even though people think that Medicine and Lawyer are higher than Engineering, some engineers find their career higher than any other career and find it helpful if they are not registered. Their reasons may be related to the fact that they don’t have to defend what they do like Doctors and lawyers, because their works talk for themselves.

Back in history Engineering was not regarded as a profession like medicine or law just because Law was a respected profession for the upper classes, and Medicine, because it involved a lot of learning and only the rich could afford then it became a profession. Later on, people believed that engineering societies were not powerful as the AMA (American Medical Association) and the ABA (American Bar Association). Even though the society used to hold medicine and law on a higher pedestal than engineering, some people has proven the opposite. For example the 31st US President,  Herbert Clark Hoover explained how Engineering  got  a very higher level than any other profession. He said: “The great liability of the engineer compared to men of other professions is that his works are out in the open where all can see them. His acts, step by step, are in hard substance. He cannot bury his mistakes in the grave like the doctors. He cannot argue them into thin air or blame the judge like the lawyers…. He cannot, like the politician, screen his shortcomings by blaming his opponents and hope that the people will forget. The engineer simply cannot deny that he did it. If his works do not work, he is damned forever.” Herbert Hoover, http://izquotes.com/quote/283757