Porn in the Closet: A Tribute to CPSC 183 – by “Jennifer S – YLT2012”

Say you wake up in the morning, after a hard night of partying, surrounded by empty bottles, your hungover girlfriend, and your laptop—with windows open to kiddie porn. How the hell did that get there? What the hell is wrong with you? And what legal conundrum will you find yourself in should the police discover your hoards of mysteriously downloaded child pornography? And if, by chance, you like making fannish vids of The Land Before Time set to Prince music, can you legally claim fair use? Yes.

This is the situation that our hero faces in our magnum opus, “Porn in the Closet,” a musical tribute to the great lyrical prodigy R. Kelly. Check out the original R. Kelly song here. “Porn in the Closet” is a scandalous synthesis of modern legal code and case law governing the legality of internet activity, privacy, and free speech in the United States today.

Allow us to explain the twisted tale of our “Porn in the Closet” protagonist. Poor P. Kelly (the “P” of course stands for “Porn”) wakes up to discover child pornography–for decency’s sake, here represented by Sesame Street characters with censored chests. Police officers who thermo-scanned the house, thinking P.Kelly had a marijuana growing operation, enter P. Kelly’s place with a warrant. Their warrant was unlawfully obtained, however, according to the 2001 Supreme Court Ruling in Kyllo v. United States, which found that thermo-scanning violates the Fourth Amendment’s protection against unlawful search and seizure. P. Kelly lets the officers in, and they discover the laptop full of kiddie porn hidden in the closet. The laptop was given away by the sound of a Skype call, which we may legally use in our video because this is created for educational purposes and is therefore not a copyright violation, but rather fair use!

While the officers, P. Kelly, and his girlfriend Polly ponder what do about the kiddie porn situation, two DMCA (Digital Millenium Copyright Act) Agents walk in. While DMCA agents typically issue take-down requests online, the artist formerly known as the Artist Formerly Known as Prince is particularly vengeful with protecting his music online. P. Kelly had created fannish vids, splicing footage from The Land Before Time movies with Prince songs. Thankfully, Judge Pierre Leval is on hand to clear up any confusion about transformative work and fair use. Judge Leval is in midget form, an homage to Chapter 9 of the original “Trapped in the Closet.” Our song is, of course, a parody and therefore fair use. Fannish vids are also, in fact, fair use, according to Section 107 of Title 17 of the U.S. Code.

Another knock comes on the door. P. Kelly questions what else he could have possibly done… Did they eat Roger Whitmore, the cannibalized cave explorer in The Speluncean Explorers? Did they hack into SendMail and create a virus, like the worm that wrought havoc in 1990, created by bored college student Robert Tappan Morris? No, we will never know what other internet crimes or gaffes P. Kelly has committed, because our favorite deus ex machina saves the day. Brad Rosen, in all of his glory, brings our tale to a close.
Follow along with our lyrics:
Seven o’clock in the morning
And the rays from the sun wakes me
I’m stretchin’ and yawnin’
My laptop is there right beside me
And I hear her retching from the bathroom
Then along comes Polly, she kisses me
And unsurprisingly she’s hungover, skank.

Now I’ve got this dumb look on my face
Like, what have we done?
How could I be so stupid to have downloaded all this kiddie porn?
Must have blacked out last night
Oh, what was on my mind?
Met on 4chan, took her home
Didn’t plan to sing this song
Knock on the door hearin, “Police, open up!”
My girlfag looks at me
Tells me to delete the kiddie porn
Keep trying to close windows
“Kiddie porn move out my way”
Police said “We have a warrant”
“Open up sometime today!”
“Shit think, shit think,  shit quick: put it in the closet.”

“Smelled weed last night,
Got a warrant to search your place.
Thermo-scanned your house,
Think you have a growing space.”
“Grow weed? What, we don’t do that.
That was just my tanning bed.”

You’re not gonna believe it, but things get deeper as the story goes on
Next thing you know they hear my laptop with the kiddie porn

“This is child pornography
We’re going to have to take you in”
“Whoa, this isn’t our kiddie porn
Someone else must have put that there.
We’re not into that
We only watch porn between legally-consenting, and unionized disease-free adults”

I’m telling you now, I wish this was the worst part of my day
But then another knock
In walks an agent of the DMCA
We’re by the closet, like man, what the fuck is happenin’?
“We have a takedown request”
From the artist formerly known as Prince
Is this about my fannish vids?  Those were transformative
Land Before Time needed a bit of Prince
Fair use from section 107 of Title 17 of the US Code
A midget said, “Vidding is fair use.”
“Oh I didn’t watch it”
And I’m like, “God it’s Judge Pierre Leval from the second circuit!”

“Why is he a midget?”
“We needed a midget.”
She says, “Baby, we’re in deep shit.”
Another knock on the door.
We stop, all look at each other
Like, Who the hell is that
We say, “What else did we do?”
We need a jailbreak IRL
Did we eat Roger Whitmore?
Did we hack into mail?
The knocking gets louder
I pull out my Baretta
They pull out their Tasers
Said “Don’t tase me bro!”
Midget opens the door
I can’t believe it’s Brad Rosen…

Final Project: My Big, Fat, Vaugely Acquainted Network – by “Charlie C”

People are getting smarter about their privacy online. By now we all (hopefully) know to restrict our profiles so that only friends can see our personal information. But after 3, 4, 5+ years of social networking, how many people still know ALL of their Facebook friends? For our final project, we set out to design a fun, interactive website that would work to remind Facebook users of their overly extended networks.

Playing WhatsHerFace-book.com

After launching this weekend, we’ve seen over 700 users (Mostly college age students) tag 35,000 friends, and it turns out that the average player only knew 70% of their Facebook friends presented. Now, of course, the term “average user” is very skewed given our user base. Facebook reports that the average user has 130 friends, while our average player has boasted a whopping 880.

We argue that anything under 100% recognition of your “friends” should raise some privacy red flags. Every one of your friends can share your information with third-party apps (in fact it’s this that allows our app to function); we are able to pull all of your friends photos, without their permission–that is, unless they’re smart about their privacy settings.  Even if you can’t bring yourself to defriend a long-lost acquaintance, at the very least you should consider creating managed friends lists with restricted privacy settings.

Results from a round of WhatsHerFace

We also hope to remind people to consider their audience when sharing content. “Friends of Friends” is never a good idea. For the average Facebook user, that’s 17 thousand people you don’t know, and why would they need to see your information anyways? Entire networks are generally a bad idea as well. You have no idea how large those networks can be, and with companies asking alums to Facebook stalk you on their behalf, does all of Yale really need to see you with your solo cups?

You probably think you know all your friends. Maybe you even pruned the list recently. But you had names and faces, and it’s so much easier to identify someone with a name. Try out whatsherface-book.com and you’ll understand just what we mean when whatsherface from freshmen year comes up and you’re forced to think, “Who the hell is that?

 

Charlie Croom
Bay Gross

It’s 5:00. Do you know where your iOS device is? Because Apple does. – by “Evin M”

Today, Alasdair Allen and Pete Warden announced that “[e]ver since iOS 4 arrived, your device has been storing a long list of locations and time stamps.”  Your device’s longitude and latitude have been recorded hundreds of thousands of times with timestamps getting backed up to iTunes, transferred to new devices and restored across backups.  It’s not encrypted, it’s not protected, and it’s pretty easy to access.

A visualization of iPhone location data, from Alasdair Allan and Pete Warden

Let’s recall US v. Maynard, a 2010 case where FBI agents planted a GPS tracking device on a car when the car was on private property, and then recorded its location every ten seconds for a month without obtaining a warrant.  The US Court of Appeals for D.C. held that obtaining such information required a search warrant, and rejected the Bureau’s claims that their actions didn’t constitute a search.  The Bureau cited US v. Knotts, in which police used a beeper device to track the discrete movements of a suspected conspirator’s car over a limited period of time.  In this case’s opinion, the court only addressed the use of such tracking technology for a single car trip–not limitless access to GPS data, regardless of previously specified time or place.

Accessing aggregated GPS data in an investigation constitutes a search and requires a warrant.  However, we’re only familiar with this situation when a third party is seeking that location data.  What’s unique about Apple as the original collector?  They’re not going after data collected by another party–it’s a function built into the software, and it’s covered in the terms of service.

Indeed, Apple’s iOS 4 TOS says

To provide location-based services on Apple products, Apple and our partners and licensees may collect, use, and share precise location data, including the real-time geographic location of your Apple computer or device. This location data is collected anonymously in a form that does not personally identify you and is used by Apple and our partners and licensees to provide and improve location-based products and services. For example, we may share geographic location with application providers when you opt in to their location services.

So what’s next?  The blogosphere is feeling squeamish, but is that the extent of the response? Thoughts, guys?

As an aside, Apple’s capitalizing upon the buzz with advertisements on Google, perhaps employing the same publicity tactics that BP did, post-oil-spill (I blogged about it here). I’d be interested to see if the content of these word-triggered ads changes to be more actively positive in Apple’s favor as more eyebrows are raised in response to this latest discovery.

Hide your account settings, Hide your email, cuz Facebook’s changing everything up in here – by “Evin M”

mysideproj3ct.wordpress.com

Last spring, Facebook rolled out a new interface with oodles of novel functionality and a handful of big flashy security holes.  In At In April 2010, we met the Open Graph, which utilized Facbook’s Social Graph technology to transform your stated affiliations and affinities from static comments to active connections–literally, your favorite books and music became hyperlinks.  If you didn’t agree to hyperlink your lists of favorites, interests, etc., they were deleted (and so it was that I had a rather blank profile).  This change both made profile information infinitely easier to manipulate on the back end (and thus package and distribute to third parties), and rolled in with a LOT of default rules.  The power of the default capitalizes upon laziness–if a new element of your profile is introduced with a default setting, odds are you won’t change it (unless you’re neurotic like me and check your account and privacy settings every few weeks).  The biggest baddest April ’10 default of them all was Instant Personalization, which handed over your connections to recipients like Windows Docs, Yelp and Pandora because it was originally an opt-out feature.  Only later did Facebook take a step back and change the default rule–but discussion about it didn’t die down before, due to a glitch, some users were able to creep in and see the live chats of their friends.  It was a scary bug, but one what got fixed after it was flaunted in the NY Times.  And so began a renewed wave of privacy freakouts and Facebook hating in the general public–one that, I’ll wager, is about to make another comeback.

What concerns me more than mistakes in code is when they team up with the deliberate integration of opt-out settings.   It seems that the quick-quick-forget-the-debugging-just-push-the-fun-new-toys-out-there mentality has again taken Mountain View by storm, and we’re getting a repeat of last spring.  I think I’m been deemed either hip or unlucky by the Facebook team, because my profile currently seems to be sporting more new tricks than some of my friends’.  The spelling and capitalization of my status updates and chats are automatically corrected, I’ve got e-mail integration in my private messages, and my account settings show an option for suggesting profile pictures to friends.  Nifty!   Except….hey, wait.  I had painstakingly gone through all of my account settings to uncheck the boxes permitting email and SMS notifications for various apparently noteworthy events (you’ve been tagged in a picture, your status has 9088 new comments, grandma just liked your link, etc.).  However, ALL of the boxes were checked–including the new options and the old ones that I had previously unchecked.  I was irritated, so I unchecked all of the boxes, hit save, and let out a sigh of relief when Facebook affirmed that my new settings were saved.

I returned to my account settings page a minute later, to find that a large majority of the aforementioned boxes under the notifications heading were still checked.  I unchecked them, saved my settings, and refreshed the page.  To find these boxes checked again.

There’s not TOO much at stake right now–I’m just going to receive an annoyingly large amount of email in the future informing me that I have notifications.  That said, I’m still concerned.  What if this happened to my privacy settings?  Not cool, Facebook.  Not cool.

 

Edit: Tuesday, April 19th, 2011. 10:20 pm.

Yet again, I entered my account settings to find this:

UGH.

Insurance hikes, privacy risks, for social media users – by “Jacob A”

The Huffington Post recently reported on an prediction made by the website confused.com, which helps insurance payers navigate and compare different rates, about a probable rise in insurance premiums for social media users. Why would social media users see home insurance hikes? Because the status-updates and other information they furnish on the social media services they use, such as Twitter or Foursquare, alert burglars as to when they’re home, and when they’re not.

http://www.csmonitor.com/var/ezflow_site/storage/images/media/images/0217_pleaserobme/7409270-1-eng-US/0217_PleaseRobMe_full_380.jpg

Tweeting something as benign as “great tilapia tacos @ Drew’s Taco Shack” is potentially unsafe as it alerts burglars to the fact that whoever is currently eating a taco with Drew is also not home. A new wesbite, pleaserobme.com, hopes to increase awareness about the dangers of publicly providing too much information, so it collects tweets and Facebook status updates and displays them to the world for anyone to see.

Pleaserobme.com means to make people realize the dangers of constantly updating and disseminating their location at all times, but it does so by letting robbers know when you’re not home, which is, although an admittedly pretty funny way of getting thoughtless social media users to think twice before tweeting “I’m I’m at Cali Yogurt,” also a lawsuit waiting to happen.

That said, it really is easy enough to find out where a sizeable chunk of the population lives by using Google’s phone number look up on a number or address. Consider also the enormous amounts of information provided by Google Earth or Streetview, and the extent to which digital technologies empower house robbers (or identity-thieves or other poorly intentioned individuals) becomes abundantly clear.

But even admitting that “criminals are becoming increasingly sophisticated in their information gathering… to plan their burglaries with military precision,” as Darren Black, the head of home insurance at confused.com, has pointed out – does this justify insurance hikes? What standards of burglar-sensitive stupidity (e.g. “Oh no! In Mexico for three days & think I forgot to turn the heat off at home!”) will insurance providers use? How does one gauge burglary (or other) risks from a tweet or Facebook status update?  And isn’t the very purpose and function of social media to disseminate opinions, constantly updated personal information, microstatements about daily life and wherabouts? Insurance hikes might make sense if there is an actual increase in risk because of social media use, but they also go against the nature of these services. The Huffington Post article refers to a news clipping from 1983 warning telephone users about the dangers of voicemail. “If you have an answering machine that tells callers you are not at home it could alert potential burglars, advises Family Circle magazine.”

http://images.huffingtonpost.com/gen/143131/PHONE-BURGLARS.jpg

Isn’t the fear over the disclosure of too much information via Twitter et. al. unsubstantiated, given the fact that a great portion of tweets are sent via mobile (and hence out of the home) anyway? Wouldn’t home insurance hikes for social media users be just as silly as if they were applied to phone-owners who didn’t change their voicemail?

But the kinds of information we propagate online through 4square and Facebook and Twitter also point to the kind of information ecology we would like to live in. Sure, it’s easy enough to make your entire Facebook page private – but was privacy ever the point of social media? Is privacy, as Mark Zuckerberg (in)famously recently stated, “no longer a social norm.”

But, then, where does one draw the line between stupidity and paranoia? There are undeniable dangers to giving away too much of our privacy, but what might those be? Is it more reasonable to be worried about burglars robbing your home, or about the larger privacy or security implications of geolocative (social) media? Shouldn’t we be more concerned about national security compromises that arise when the heads of national intelligence disclose too much information online? For the average person, disclosing too much information may not be a security risk, but it certainly remains a privacy risk. Forget robbers – what about data trawllers, or hostile intelligence networks, or government agencies, or corporate interests, who amass our geolocative (and all our other) social media information?

By default, Facebook makes you publically searchable by everyone, and publically visible by everyone in your networks. Default settings go more often unchanged then not. Privacy is not a default setting. The question is whether it still remains a social standard.

Social media is still a new technology. It will have direct implications on things such as hikes in home insurance premiums, as well as much larger cultural consequences. Is a social media universe where it is considered unsafe to post birthdates, pets names, phone numbers, photos a friendly one? A social one? We may have to value privacy and friendliness against each other.

Cybersecurity Regulations on the U.S. Power Grid – by “Yingqi G”

A 60 Minutes report last week described the possibility that hackers were behind massive power outages in Brazil in 2007 and 2005. The report also describes how the U.S. infrastructure is likewise vulnerable to hacking. As we’ve seen with incidents like Georgia, hackers are now often politically motivated professionals serving national governments. This leads to cyber-warfare, where a government employs hacking to cripple functionality or steal intelligence from other governments. And if one government does it, then every other government establishes its own cyber-units, and we now have an arms race on the internet. The New York Times has a good article on the issue.

Instead of discussing cyber-warfare at a more general level, I’d like to talk about cybersecurity concerns in the U.S. electrical infrastructure. To understand the issue, we need to look at the key players in the industry, who they are, and how the government is trying to regulate them.

The U.S. power industry is made up of at least two levels of players: there are utilities and infrastructure providers. Utilities generally purchase, deploy, and maintain physical infrastructure purchased from the infrastructure providers. In some cases, these companies also buy and sell energy from other power companies to meet local demand. Examples of such companies include Connecticut Light and Power and Southern California Edison. You pay these guys for your electricity.

The much bigger players are the infrastructure providers like General Electric, Samsung, and Areva. These corporations manufacture the power plants, control systems, and other infrastructure that utilities purchase and install. GE is U.S. based, but Samsung and Areva are German and French respectively, both with sizable stakes in the U.S. market. This raises fairly obvious national security concerns regarding foreign companies manufacturing critical U.S. infrastructure.

Over the past several decades, these power infrastructure corporations have made their monitoring and control systems Internet enabled, so their software now runs over the same networks as the rest of Internet traffic. This is an advantage because it simplifies network infrastructure for supporting the power grid’s management systems, but it also makes the power grid vulnerable to traditional Internet based attacks.

Fortunately, the U.S. government and international agencies are aware of the power grid cybersecurity problem, and are actively legislating and setting standards for power grid security. In the US, we have the Federal Electric Regulatory Commission (FERC) under the Department of Energy. FERC is requiring compliance with the North American Electric Reliability Corporation’s Critical Infrastructure Protection standard (NERC CIP) in 2010. NERC CIP details requirements and implementation plans for North American power utilities to harden themselves against physical, and more importantly, digital intrusion. Additionally, CIP requires mitigation plans in the event of actual attacks.

The National Institute of Standards and Technology also has draft SmartGrid cybersecurity standards, which address Smart Grids, an incoming technology power companies are introducing to increase efficiency and robustness in the grid. Internationally, we have the International Council on Large Electrical Systems (CIGRE), which specifies reference architectures, including the next generation Energy Management System Reference Architecture, which includes cybersecurity as a key component.

Going back to the national level, the Federal Electric Regulatory Commission is requiring compliance according to NERC’s schedule of compliance requirements culminating in a deadline in 2010. NERC CIP includes not only security features, but also auditing, incident reporting, and incident response and mitigation plans in the event of a security breach. NERC specifies timelines for implementation and auditing as well as non-compliance fines of up to $1 million per day. These deadlines put the utility companies on a very tight schedule where total compliance as required seems fairly unlikely for a significant number of the companies.

Unfortunately, in the end NERC CIP is just a step forwards, not the ultimate solution. Even if all utilities comply with NERC CIP requirements, we’re still left with the axiom that no piece of complex software is entirely secure. Acknowleding this, NERC CIP requires mitigation plans to control damage when an actual breach happens. NERC is also in the process of revising CIP, with the revisions set for publication in 2010 or 2011.

As the 60 Minutes video also reports, we already know that foreign agencies have penetrated the U.S. power grid’s networks and systems. In the event of a military action, there is almost no question that foreign governments will consider using these keys to damage U.S. electrical infrastructure. Considering how little the government regulated the power industry with regards to cybersecurity, I’m glad that the government is now locking down the power grid in its wider effort to secure critical infrastructure. In the end, NERC CIP is probably not enough, but it’s a good start.