Programming

Profile of William H. Alsup, a Judge Who Codes and Decides Tech's Biggest Cases (theverge.com) 16

Sarah Jeong at The Verge has an interesting profile of William H. Alsup, the judge in Oracle v. Google case, who to many's surprise was able to comment on the technical issues that Oracle and Google were fighting about. Alsup admits that he learned the Java programming language only so that he could better understand the substance of the case. Here's an excerpt from the interview: On May 18th, 2012, attorneys for Oracle and Google were battling over nine lines of code in a hearing before Judge William H. Alsup of the northern district of California. The first jury trial in Oracle v. Google, the fight over whether Google had hijacked code from Oracle for its Android system, was wrapping up. The argument centered on a function called rangeCheck. Of all the lines of code that Oracle had tested -- 15 million in total -- these were the only ones that were "literally" copied. Every keystroke, a perfect duplicate. It was in Oracle's interest to play up the significance of rangeCheck as much as possible, and David Boies, Oracle's lawyer, began to argue that Google had copied rangeCheck so that it could take Android to market more quickly. Judge Alsup was not buying it. "I couldn't have told you the first thing about Java before this trial," said the judge. "But, I have done and still do a lot of programming myself in other languages. I have written blocks of code like rangeCheck a hundred times or more. I could do it. You could do it. It is so simple." It was an offhand comment that would snowball out of control, much to Alsup's chagrin. It was first repeated among lawyers and legal wonks, then by tech publications. With every repetition, Alsup's skill grew, until eventually he became "the judge who learned Java" -- Alsup the programmer, the black-robed nerd hero, the 10x judge, the "master of the court and of Java."
EU

EU: No Encryption Backdoors But, Let's Help Each Other Crack That Crypto (theregister.co.uk) 60

The European Commission has proposed that member states help each other break into encrypted devices by sharing expertise around the bloc. From a report: In an attempt to tackle the rise of citizens using encryption and its effects on solving crimes, the commission decided to sidestep the well-worn, and well-ridiculed, path of demanding decryption backdoors in the stuff we all use. Instead, the plans set out in its antiterrorism measures on Wednesday take a more collegiate approach -- by offering member states more support when they actually get their hands on an encrypted device. "The commission's position is very clear -- we are not in favour of so-called backdoors, the utilisation of systemic vulnerabilities, because it weakens the overall security of our cyberspace, which we rely upon," security commissioner Julian King told a press briefing. "We're trying to move beyond a sometimes sterile debate between backdoors or no backdoors, and address some of the concrete law enforcement challenges. For instance, when [a member state] gets a device, how do they get information that might be encrypted on the device." [...] Share the wealth. "Some member states are more equipped technically to do that [extract information from a seized device] than others," King said. "We want to make sure no member state is at a disadvantage, by sharing the tech expertise among the member states and reinforcing the support that Europol can offer."
Books

Amazon E-Book Buyers Receive Payment From Antitrust Lawsuit Settlement (idropnews.com) 41

If you bought a Kindle e-book between April 2010 and May 2012, you might see some Amazon credit coming your way. The company is reportedly distributing funds from an antitrust lawsuit that it levied at Apple in 2013. From a report: Amazon has set up a website listing the available credits, and it has begun sending out emails this morning to U.S. customers who are eligible for a refund. Apple and a handful of book publishers, including Penguin, HarperCollins, Machete Book Group and Macmillan, were found guilty of conspiring to inflate the prices of e-books in order to weaken Amazon's grip on the market. While the book publishers settled out of court, Apple decided to fight the lawsuit and appealed several times. Eventually, it was ordered to pay a total of $450 million in the protracted antitrust case.

Several refunds have already been distributed because of the lawsuit. In fact, the bulk of credits were sent out in 2014 and 2016. The round of credits being sent out today comes from an earmarked $20 million meant to pay states involved in the suit. The Amazon credits have a six-month shelf life and must be spent by April 20, 2018, or they'll expire. In addition the Amazon credits, customers may also be receiving Apple credits that can be used toward iBooks, iTunes and App Store purchases. Apple is currently notifying eligible customers via email.

Security

Ask Slashdot: What Are Ways To Get Companies To Actually Focus On Security? 150

New submitter ctilsie242 writes: Many years ago, it was said that we would have a "cyber 9/11," a security event so drastic that it fundamentally would change how companies and people thought about security. However, this has not happened yet (mainly because the bad guys know that this would get organizations to shut their barn doors, stopping the gravy train.) With the perception that security has no financial returns, coupled with the opinion that "nobody can stop the hackers, so why even bother," what can actually be done to get businesses to have an actual focus on security. The only "security" I see is mainly protection from "jailbreaking," so legal owners of a product can't use or upgrade their devices. True security from other attack vectors are all but ignored. In fact, I have seen some development environments where someone doing anything about security would likely get the developer fired because it took time away from coding features dictated by marketing. I've seen environments where all code ran as root or System just because if the developers gave thought to any permission model at all, they would be tossed, and replaced by other developers who didn't care to "waste" their time on stuff like that.

One idea would be something similar to Underwriters Labs, except would grade products, perhaps with expanded standards above the "pass/fail" mark, such as Europe's "Sold Secure," or the "insurance lock" certification (which means that a security device is good enough for insurance companies to insure stuff secured by it.) There are always calls for regulation, but with regulatory capture being at a high point, and previous regulations having few teeth, this may not be a real solution in the U.S. Is our main hope the new data privacy laws being enacted in Europe, China, and Russia, which actually have heavy fines as well as criminal prosecutions (i.e. execs going to jail)? This especially applies to IoT devices where it is in their financial interest to make un-upgradable devices, forcing people to toss their 1.0 lightbulbs and buy 1.0.1 lightbulbs to fix a security issue, as opposed to making them secure in the first place, or having an upgrade mechanism. Is there something that can actually be done about the general disinterest by companies to make secure products, or is this just the way life is now?
Government

CNN Gets a First-Of-Its-Kind Waiver To Fly Drones Over Crowds (techcrunch.com) 56

The FAA has granted CNN a waiver that allows it to fly its Vantage Robotics Snap drone over open-air crowds of people at altitudes of up to 150 feet. "This is a new precedent in this kind of waiver: Previous exemptions allowed flight of drones over people in closed set operations (like for filmmaking purposes) and only when tethered, with a max height of 21 feet," reports TechCrunch. From the report: The new waiver granted to CNN, as secured through its legal counsel Hogan Lovells, allows for flight of the Vantage UAV (which is quite small and light) above crowds regardless of population density. It was a big win for the firm and the company because it represents a change in perspective on the issue for the FAA, which previously viewed all requests for exceptions from a "worst-case scenario" point of view. Now, however, the FAA has accepted CNN's "reasonableness Approach," which takes into account not just the potential results of a crashed drone, but also the safe operating history of the company doing the flying, their built-in safety procedures, and the features included on the drone model itself that are designed to mitigate the results of any negative issues.
The Courts

Tesla Faces Lawsuit For Racial Harassment In Its Factories (mercurynews.com) 137

Three former Tesla factory workers have filed a lawsuit against the company, claiming they were subject to constant racial discrimination and harassment in the electric car company's factories. "The men, who are African-American, claim in a new complaint filed Monday in state court that Tesla supervisors and workers used racial epithets and drew racist graffiti on cardboard boxes," reports The Mercury News. From the report: The new suit is the second by black employees charging Tesla failed to address racial antagonism at its factory. The electric vehicle maker also has a hearing before the National Labor Relations Board over claims it illegally tried to silence workers promoting a union. The complaints come as the Tesla heads into a crucial ramp-up of Model 3 production, its lower-cost electric vehicle. A Tesla spokesman denied the suit's allegations and said the men never raised the complaints to the company during their brief time at the plant. "Given our size, we recognize that unfortunately at times there will be cases of harassment or discrimination in corners of the company," the spokesman said. "From what we know so far, this does not seem to be such a case." The suit, filed in Alameda County Superior Court, claims Owen Diaz and his son, Demetric, were called the N-word while they worked at the Fremont factory, and supervisors did little to stop it. A third man, Lamar Patterson, also claims he was subjected to insensitive racist remarks.
Patents

Activision Patents Pay-To-Win Matchmaker (rollingstone.com) 126

New submitter EndlessNameless writes: If you like fair play, you might not like future Activision games. They will cross the line to encourage microtransactions, specifically matching players to both encourage and reward purchase. Rewarding the purchase, in particular, is an explicit and egregious elimination of any claim to fair play. "For example, if the player purchased a particular weapon, the microtransaction engine may match the player in a gameplay session in which the particular weapon is highly effective, giving the player an impression that the particular weapon was a good purchase," according to the patent. "This may encourage the player to make future purchases to achieve similar gameplay results." Even though the patent's examples are all for a first-person-shooter game, the system could be used across a wide variety of titles. "This was an exploratory patent filed in 2015 by an R&D team working independently from our game studios," an Activision spokesperson tells Rolling Stone. "It has not been implemented in-game." Bungie also confirmed that the technology isn't being used in games currently on the market, mentioning specifically Destiny 2.
Patents

Tribal 'Sovereign Immunity' Patent Protection Could Be Outlawed (arstechnica.com) 91

AnalogDiehard writes: The recent -- and questionable -- practice of technological and pharmaceutical companies selling their patents to U.S. native Indian tribes (where they enjoy "sovereign immunity" from the inter partes review (IPR) process of the PTO) and then the tribes licensing them back to the companies is drawing scrutiny from a federal court and has inspired a new U.S. bill outlawing the practice. The IPR process is a "fast track" (read: much less expensive) process through the PTO to review the validity of challenged patents -- it is loved by defendants and hated by patent holders. Not only has U.S. Circuit Judge William Bryson invalidated Allergan's pharmaceutical patents due to "obviousness," he is questioning the legitimacy of the sovereign immunity tactic. The judge was well aware that the tactic could endanger the IPR process, which was a central component of the America Invents Act of 2011, and writes that sovereign immunity "should not be treated as a monetizable commodity that can be purchased by private entities as part of a scheme to evade their legal responsibility." U.S. Senator Claire McCaskill (D-Mo.) -- no stranger to abuses of the patent system -- has introduced a bill that would outlaw the practice she describes as "one of the most brazen and absurd loopholes I've ever seen and it should be illegal." Sovereign immunity is not absolute and has been limited by Congress and the courts in the past. The bill would apply only to the IPR proceedings and not to patent disputes in federal courts.
The Military

SpaceX's Reusable Rockets Win US Air Force General's Endorsement (bloomberg.com) 70

As the military looks to drive down costs, the head of U.S. Air Force Space Command said he's "completely committed" to launching future missions with recycled rockets like those championed by SpaceX's Elon Musk. "It would be 'absolutely foolish' not to begin using pre-flown rockets, which brings such significant savings that they'll soon be commonplace for the entire industry, General John W. 'Jay' Raymond said," reports Bloomberg. From the report: "The market's going to go that way. We'd be dumb not to," he said. "What we have to do is make sure we do it smartly." The Air Force won't be able to use the recycled boosters until they're certified for military use, a process that Raymond suggested may already be in the works. "The folks out at Space and Missile Systems Center in Los Angeles that work for me would be in those dialogues," he said, declining to specify when certification could take place. "I don't know how far down the road we've gotten, but I am completely committed to launching on a reused rocket, a previously flown rocket, and making sure that we have the processes in place to be able to make sure that we can do that safely."
Government

'Significant' Number of Equifax Victims Already Had Info Stolen, Says IRS (thehill.com) 105

An anonymous reader quotes a report from The Hill: The IRS does not expect the Equifax data breach to have a major effect on the upcoming tax filing season, Commissioner John Koskinen said Tuesday, adding that the agency believes a "significant" number of the victims already had their information stolen by cyber criminals. "We actually think that it won't make any significantly or noticeable difference," Koskinen told reporters during a briefing on the agency's data security efforts. "Our estimate is a significant percent of those taxpayers already had their information in the hands of criminals." The IRS estimates that more than 100 million Americans have had their personally identifiable information stolen by criminal hackers, he said.

The Equifax breach disclosed in early September is estimated to have affected more than 145 million U.S. consumers. "It's an important reminder to the public that everyone can take any actions that they can ... to make sure we can do everything we can to protect personal information," Koskinen said of the breach on Tuesday, in response to a reporter's question. The IRS commissioner advised Americans to "assume" their data is already in the hands of criminals and "act accordingly."

Piracy

Netflix, Amazon, Movie Studios Sue Over TickBox Streaming Device (arstechnica.com) 128

Movies studios, Netflix, and Amazon have teamed up to file a lawsuit against a streaming media player called TickBox TV. The device in question runs Kodi on top of Android 6.0, and searches the internet for streams that it can make available to users without actually hosting any of the content itself. An anonymous reader quotes a report from Ars Technica: The complaint (PDF), filed Friday, says the TickBox devices are nothing more than "tool[s] for mass infringement," which operate by grabbing pirated video streams from the Internet. The lawsuit was filed by Amazon and Netflix Studios, along with six big movie studios that make up the Motion Picture Association of America: Universal, Columbia, Disney, Paramount, 20th Century Fox, and Warner Bros.

"What TickBox actually sells is nothing less than illegal access to Plaintiffs' copyrighted content," write the plaintiffs' lawyers. "TickBox TV uses software to link TickBox's customers to infringing content on the Internet. When those customers use TickBox TV as Defendant intends and instructs, they have nearly instantaneous access to multiple sources that stream Plaintiffs' Copyrighted Works without authorization." The device's marketing materials let users know the box is meant to replace paid-for content, with "a wink and a nod," by predicting that prospective customers who currently pay for Amazon Video, Netflix, or Hulu will find that "you no longer need those subscriptions." The lawsuit shows that Amazon and Netflix, two Internet companies that are relatively new to the entertainment business, are more than willing to join together with movie studios to go after businesses that grab their content.

Google

'Google Just Made Gmail the Most Secure Email Provider on the Planet' (vice.com) 197

Google announced on Tuesday that it would offer stronger online security for "high risk" users who may be frequent targets of online attacks. The company said anyone with a personal Google account can enroll in the new "advanced protection," while noting that it will require users to "trade off a bit of convenience" for extra security. Motherboard reports: The main advantage in terms of security is the need for a key or token to log in as the second factor, instead of a code sent via SMS or via app. This is much better because there's no way for hackers to steal or phish this key from afar (there have been isolated incidents of hackers using social engineering to gain access to someone's cell phone number by getting the provider to issue a new SIM card, for instance). Thanks to these new features, Gmail is now the most secure email provider available on the internet if you are worried about hackers breaking into your private correspondence. "This is a major step in the right direction in offering the same kind of protection available to high-profile figures to everyday people," Kenneth White, a Washington D.C. based security consultant to federal agencies, told Motherboard. "They have really thought this through, and while it may not make sense for everyone, for those that need it, it's a much needed option."
Android

Essential Is Getting Sued For Allegedly Stealing Wireless Connector Technology (gizmodo.com) 43

"Keyssa, a wireless technology company backed by iPod creator and Nest founder Tony Fadell, filed a lawsuit against Essential on Monday, alleging that the company stole trade secrets and breached their nondisclosure agreement," reports Gizmodo. Keyssa has proprietary technology that reportedly lets users transfer large files in a matter of seconds by holding two devices side by side. From the report: According to the lawsuit, Keyssa and Essential engaged in conversations in which the wireless tech company "divulged to Essential proprietary technology enabling every facet of Keyssa's wireless connectivity," all of which was protected under a non-disclosure agreement. More specifically, the lawsuit alleges that Keyssa "deployed a team 20 of its top engineers and scientists" to educate Essential on its proprietary tech, sending them "many thousands of confidential emails, hundreds of confidential technical documents, and dozens of confidential presentations." Essential ended this relationship after over 10 months and later told Keyssa that its engineers would use a competing chip in the Essential Phone. But Keyssa is accusing Essential of including techniques in its phone that were gleaned from their relationship, despite their confidentiality agreement. Central to this lawsuit is one of the Essential Phone's key selling points: the option to swap in modular add-ons, made possible thanks to the phone's unique cordless connector. In short, if Keyssa's claims hold water, then one of the phone's defining factors is a product of theft.
Wireless Networking

Every Patch For 'KRACK' Wi-Fi Vulnerability Available Right Now (zdnet.com) 133

An anonymous reader quotes a report from ZDNet: As reported previously by ZDNet, the bug, dubbed "KRACK" -- which stands for Key Reinstallation Attack -- is at heart a fundamental flaw in the way Wi-Fi Protected Access II (WPA2) operates. According to security researcher and academic Mathy Vanhoef, who discovered the flaw, threat actors can leverage the vulnerability to decrypt traffic, hijack connections, perform man-in-the-middle attacks, and eavesdrop on communication sent from a WPA2-enabled device. In total, ten CVE numbers have been preserved to describe the vulnerability and its impact, and according to the U.S. Department of Homeland Security (DHS), the main affected vendors are Aruba, Cisco, Espressif Systems, Fortinet, the FreeBSD Project, HostAP, Intel, Juniper Networks, Microchip Technology, Red Hat, Samsung, various units of Toshiba and Ubiquiti Networks. A list of the patches available is below. For the most up-to-date list with links to each patch/statement (if available), visit ZDNet's article.
Security

Ask Slashdot: What Are Some Hard Truths IT Must Learn To Accept? (cio.com) 413

snydeq writes: "The rise of shadow IT, shortcomings in the cloud, security breaches -- IT leadership is all about navigating hurdles and deficiencies, and learning to adapt to inevitable setbacks," writes Dan Tynan in an article on six hard truths IT must learn to accept. "It can be hard to admit that you've lost control over how your organization deploys technology, or that your network is porous and your code poorly written. Or no matter how much bandwidth you've budgeted for, it never quite seems to be enough, and that despite its bright promise, the cloud isn't the best solution for everything." What are some hard truths your organization has been dealing with? Tynan writes about how the idea of engineering teams sticking a server in a closet and using it to run their own skunkworks has become more open; how an organization can't do everything in the cloud, contrasting the 40 percent of CIOs surveyed by Gartner six years ago who believed they'd be running most of their IT operations in the cloud by now; and how your organization should assume from the get-go that your environment has already been compromised and design a security plan around that. Can you think of any other hard truths IT must learn to accept?

Slashdot Top Deals