Tag Archive for: wrong

Bitflips when PCs try to reach windows.com: What could possibly go wrong?


Stock photo of ones and zeros displayed across a computer screen.

Bitflips are events that cause individual bits stored in an electronic device to flip, turning a 0 to a 1 or vice versa. Cosmic radiation and fluctuations in power or temperature are the most common naturally occurring causes. Research from 2010 estimated that a computer with 4GB of commodity RAM has a 96 percent chance of experiencing a bitflip within three days.

An independent researcher recently demonstrated how bitflips can come back to bite Windows users when their PCs reach out to Microsoft’s windows.com domain. Windows devices do this regularly to perform actions like making sure the time shown in the computer clock is accurate, connecting to Microsoft’s cloud-based services, and recovering from crashes.

Remy, as the researcher asked to be referred to, mapped the 32 valid domain names that were one bitflip away from windows.com. He provided the following to help readers understand how these flips can cause the domain to change to whndows.com:

01110111 01101001 01101110 01100100 01101111 01110111 01110011
w i n d o w s
01110111 01101000 01101110 01100100 01101111 01110111 01110011
w h n d o w s

Of the 32 bit-flipped values that were valid domain names, Remy found that 14 of them were still available for purchase. This was surprising because Microsoft and other companies normally buy these types of one-off domains to protect customers against phishing attacks. He bought them for $126 and set out to see what would happen. The domains were:

  • windnws.com
  • windo7s.com
  • windkws.com
  • windmws.com
  • winlows.com
  • windgws.com
  • wildows.com
  • wintows.com
  • wijdows.com
  • wiodows.com
  • wifdows.com
  • whndows.com
  • wkndows.com
  • wmndows.com

No inherent verification

Over the course of two weeks, Remy’s server received 199,180 connections from 626 unique IP addresses that were trying to contact ntp.windows.com. By default, Windows machines will connect to this domain once per week to check that the time shown on the device clock is correct. What the researcher found next was even more surprising.

“The NTP client for windows OS has no inherent verification of authenticity, so there is nothing stopping a malicious person from telling all these computers that…

Source…

How A Feud Among Wolf-Kink Erotica FanFic Authors Demonstrates What The Copyright Office Got Wrong In Its DMCA Report

Last week, we wrote about one of the biggest, glaring flaws in the Copyright Office’s long awaited report on the DMCA 512’s safe harbors was its refusal to recognize how frequently it’s abused to take down legitimate works. As if on cue, over the weekend, the NY Times has quite the story about a feud in (I kid you not), wolf-kink erotica fan fiction, that demonstrates how the DMCA is regularly abused to punish and silence people for reasons that have nothing to do with copyright.

The full NY Times article is worth reading, describing a still ongoing legal fight between two fanfic authors who wrote stories building on some apparently common tropes in the wolf-erotica fiction genre. One author sued another, but, as the article notes, all of the supposedly “copied” elements are common throughout the wider genre:

Then, in 2018, Ms. Cain heard about an up-and-coming fantasy writer with the pen name Zoey Ellis, who had published an erotic fantasy series with a premise that sounded awfully familiar. It featured an Alpha and Omega couple, and lots of lupine sex. The more Ms. Cain learned about “Myth of Omega” and its first installment, “Crave to Conquer,” the more outraged she became. In both books, Alpha men are overpowered by the scent of Omega heroines and take them hostage. In both books, the women try and fail to suppress their pheromones and give in to the urge to mate. In both books, the couples sniff, purr and growl; nest in den-like enclosures; neck-bite to leave “claim” marks; and experience something called “knotting,” involving a peculiar feature of the wolf phallus.

[….]

It’s hard to imagine that two writers could independently create such bizarrely specific fantasy scenarios. As it turns out, neither of them did. Both writers built their plots with common elements from a booming, fan-generated body of literature called the Omegaverse.

As the article goes on to note, this whole “Omegaverse” concept spun out of fanfiction based on the TV show “Supernatural.” And then a bunch of common tropes emerged:

Some Omegaverse stories involve lycanthropes (werewolves), vampires, shape-shifters, dragons, space pirates, others feature regular humans. But virtually all Omegaverse couples engage in wolflike behavior. Alphas “rut” and Omegas go through heat cycles, releasing pheromones that drive Alphas into a lusty frenzy. One particular physiological quirk that’s ubiquitous in Omegaverse stories, called knotting, comes from a real feature of wolves’ penises, which swell during intercourse, causing the mating pair to remain physically bound to increase the chance of insemination.

Normally, in copyright law, this should mean that there is no infringement. Either you have the idea/expression dichotomy come into play (the same idea expressed differently is not infringing as the idea itself cannot be covered by copyright) or there’s the concept of scenes a faire, in which a story in a particular genre needs those features to be a part of that genre.

However, even so, the DMCA has been weaponized here:

Ms. Cain urged Blushing Books to do something. The publisher sent copyright violation notices to more than half a dozen online retailers, alleging that Ms. Ellis’s story was “a copy” with scenes that were “almost identical to Addison Cain’s book.” Most of the outlets, including Barnes & Noble, iTunes, and Apple, removed Ms. Ellis’s work immediately.

See that? Merely by claiming infringement using the DMCA’s 512 notice-and-takedown provisions, one author was able to literally delete a bunch of books from most major book stores. Doesn’t that seem like a problem? The Copyright Office barely acknowledges it. But here it’s turned into a massive fight.

In late April 2018, Ms. Ellis got an email from a reader who had ordered one of her books from Barnes & Noble, then learned that it wasn’t available anymore. She soon discovered that all of her Omegaverse books had disappeared from major stores, all because of a claim of copyright infringement from Ms. Cain and her publisher. Ms. Ellis found it bewildering.

“I couldn’t see how a story I had written using recognized tropes from a shared universe, to tell a story that was quite different than anything else out there commercially, could be targeted in that way,” Ms. Ellis said. “There are moments and scenarios that seem almost identical, but it’s a trope that can be found in hundreds of stories.”

While Ellis did file a counternotice, the Times says that online stores were incredibly slow to put the books back (some took months).

A lawyer for Ms. Ellis and Quill filed counter-notices to websites that had removed her books. Some took weeks to restore the titles; others took months. There was no way to recover the lost sales. “As a new author, I was building momentum, and that momentum was lost,” Ms. Ellis said. And she worried that the “plagiarist” label would permanently mar her reputation.

The author, Ellis, eventually sued over the takedown notice, claiming it was improper (and also that it was defamatory — which, seems like a SLAPP suit on its own, unfortunately). However, the author accusing Ellis of infringement seems pretty big into SLAPPing as well:

Two years later, Ms. Cain and her publisher filed D.M.C.A. takedown requests against Ms. Ellis’s first two “Myth of Omega” books. Ms. Cain also asked her publisher to file an infringement notice against an Ellis novel that hadn’t even been released yet. “Book three needs to come down too. I don’t want her to make any more money off this series,” Ms. Cain wrote to Blushing Books in April, according to a court filing.

That’s… not how any of this works. The NY Times says that Cain’s publisher caved in and admitted there was no infringement and apparently paid up to settle with Ellis, but Cain has kept the case going. She should lose. By the way, if you want to dig into the details of the actual lawsuit, you can find the docket here. The NY Times does not appear to link to it.

But, as the article makes very, very clear, the DMCA’s notice-and-takedown process has been weaponised repeatedly. If it’s so obvious that it’s happening in such a niche area as “wolf-kink erotica fan fiction,” you know it’s happening in many other places as well. It seems ridiculous that the Copyright Office felt it wasn’t worth paying any attention to, and assuming that the only problems with DMCA 512 was that it didn’t take down enough content fast enough.

Techdirt.

Senator Tillis Angry At The Internet Archive For Helping People Read During A Pandemic; Archive Explains Why That’s Wrong

A few weeks ago, we wrote about the misguided freakout by (mainly) publishers and some authors over the Internet Archive’s decision to launch the National Emergency Library during the COVID-19 pandemic, to help all of us who are stuck at home be able to digitally access books that remain in locked libraries around the country. A key point I made in that post: most (not all, but most) of the criticisms applied to the NEL project could equally apply to regular libraries. And perhaps that’s why hundreds of libraries have come out in support of the project, even as those attacking the project insist that it’s not an attack on libraries.

Either way, it was only a matter of time before publishers got their lapdogs in Congress to start making noise, and first out of the gate was Senator Thom Tillis, who is already deep into his attempt to make copyright law worse, and who last week sent a letter to the Internet Archive’s Brewster Kahle that reads very much like it was written by book publishers. First it gets high and mighty about how the pandemic has “shown the critical value of copyrighted works to the public interest” which is just a weird way to phrase things. The fact that something valuable is covered by copyright does not automatically mean that copyright is helpful or valuable for that situation. Then it gets to the point:

I am not aware of any measure under copyright law that permits a user of copyrighted works to unilaterally create an emergency copyright act. Indeed, I am deeply concerned that your “Library” is operating outside the boundaries of the copyright law that Congress has enacted and alone has jurisdiction to amend.

A few days later, Kahle responded in a detailed and thorough letter to Tillis. It points out that the Internet Archive is well-established and recognized by the state of California as a library, and that it has already shown that it has a legal right to digitize books. And then goes on to explain that the point of the NEL is to help enable Tillis’ own constituents to access to the books that their tax dollars paid for while they’re locked up collecting dust inside libraries that are closed during the pandemic.

The National Emergency Library was developed to address a temporary and significant need in our communities — for the first time in our nation’s history, the entire physical library system is offline and unavailable. Your constituents have paid for millions of books they currently cannot access. According to National Public Library survey data from 2018-2019, North Carolina’s public libraries house more than fifteen million print book volumes in three-hundred twenty-three branches across the State. Because those branches are now closed and their books are unavailable, the massive public investment paid for by tax-paying citizens is unavailable to the very people who funded it. This also goes for public school libraries and academic libraries at community colleges, public colleges and universities as well. The National Emergency Library was envisioned to meet this challenge of providing digital access to print materials, helping teachers, students and communities gain access to books while their schools and libraries are closed.

It also highlights something else that many had missed: the NEL does not include any books published within the last five years — which is pretty important, since the commercial value of a book usually exists in the first couple years after publishing. Indeed, a recent study highlighted how the vast, vast, vast majority of sales tends to come soon after a book is published and then sales decline rapidly. So the argument that the NEL is somehow taking away from author income is already somewhat questionable.

And, indeed, the Archive is currently seeing evidence that suggests the NEL is not actually impacting author earnings in any significant way:

In an early analysis of the use we are seeing what we expected: 90% of the books borrowed were published more than ten years ago, two-thirds were published during the twentieth century. The number of books being checked out and read is comparable to that of a town of about 30,000 people. Further, about 90% of people borrowing the book only looked at it for 30 minutes. These usage patterns suggest that perhaps that patrons may be using the checked-out book for fact checking or research, but we suspect a large number of people are browsing the book in a way similar to browsing library shelves.

The Internet Archive has also been highlighting case studies of teachers and students helped out by the NEL.

Kahle also explains to Tillis how he’s wrong to say that copyright law does not allow this kind of lending. It’s called fair use.

You raise the question of how this comports with copyright law. Fortunately, we do not need an “emergency copyright act” because the fair use doctrine, codified in the Copyright Act, provides flexibility to libraries and others to adjust to changing circumstances. As a result, libraries can and are meeting the needs of their patrons during this crisis in a variety of ways. The Authors Guild, the leading critic of the National Emergency Library, has been incorrect in their assessment of the scope and flexibility of the fair use doctrine in the past and this is another instance where we respectfully disagree.

The reference regarding the Authors Guild being wrong about fair use refers to its years-long fight to stop libraries from digitizing books, which resulted in a massive loss for the Guild’s ridiculous interpretation of copyright and fair use.

In the end there are a bunch of important points here: even if Tillis is right that copyright is somehow proving its value in a pandemic (and he’s not), that doesn’t change the simple fact that this library is enabling people who cannot check out physical books from their locked community libraries to at least be able to access those books while remaining safe at home. The Internet Archive has legal scans of these books, and hundreds of libraries are supporting this effort. While it’s true, as some authors and publishers highlight, that there are official ebooks for some books, many (especially older) books do not have them at all — and those include lots of books that are commonly read in classrooms. And, as we pointed out last time, in cases where there are official ebooks, almost anyone would prefer to get those copies, because they are much easier to read and designed to be read on a reading device (specialized reading device, tablet, or phone) as compared to the NEL scans, which are straight scans of the book pages.

No matter what, it’s a really bad look for Tillis to stomp around complaining that his constituents might actually be able to read books that are currently locked up in libraries. Remember that the entire intent of copyright law in the first place, and the subtitle of the US’s very first copyright law, was that it be to enable learning. The Internet Archive is trying to help push forward that clear goal of copyright law… while Senator Tillis seems to want to stop it.

In the end, there’s very little “there” there to the complaints about this project. It’s difficult to see how it’s harming author revenue in any real way, but it is clearly helping schools and students while the libraries and books they normally use are unavailable. And, there are strong arguments for why this is perfectly legal under copyright law — and if the claim is that we should wait until that’s absolutely proven in court, well, that kinda misses the whole point of helping out during a pandemic.

As professor Brian Frye recently wrote about all of this: “When you find yourself complaining about libraries, you might want to think twice about your priorities.” And I’d say that counts double in the midst of a pandemic.

Techdirt.

Senators Pretend That EARN IT Act Wouldn’t Be Used To Undermine Encryption; They’re Wrong

On Wednesday, the Senate held a hearing about the EARN IT Act, the bill that is designed to undermine the internet and encryption in one single move — all in the name of “protecting the children” (something that it simply will not do). Pretty much the entire thing was infuriating, but I wanted to focus on one key aspect. Senators supporting the bill, including sponsor Richard Blumenthal — who has been attacking the internet since well before he was in the Senate and was just the Attorney General of Connecticut — kept trying to insist the bill had nothing to do with encryption and wouldn’t be used to undermine encryption. In response to a letter from Facebook, Blumenthal kept insisting that the bill is not about encryption, and also insisting (incorrectly) that if the internet companies just nerded harder, they could keep encryption while still giving law enforcement access.

“This bill says nothing about encryption,” Sen. Richard Blumenthal…, said at a hearing Wednesday to discuss the legislation…

[….]

“Strong law enforcement is compatible with strong encryption,” Blumenthal said. “I believe it, Big Tech knows it and either is Facebook is lying — and I think they’re telling us the truth when they say that law enforcement is consistent with strong encryption — or Big Tech is using encryption as a subterfuge to oppose this bill.”

No, the only one engaged in lying or subterfuge here is Blumenthal (alternatively, he’s so fucking ignorant that he should resign). “Strong” encryption is end-to-end encryption. Once you create a backdoor that lets law enforcement in, you’ve broken the encryption and it’s no longer stronger. Even worse, it’s very, very weak, and it puts everyone (even Senator Blumenthal and all his constituents) at risk. If you want to understand how this bill is very much about killing encryption, maybe listen to cryptographer Matthew Green explain it to you (he’s not working for “Big Tech,” Senator):

EARN IT works by revoking a type of liability called Section 230 that makes it possible for providers to operate on the Internet, by preventing the provider for being held responsible for what their customers do on a platform like Facebook. The new bill would make it financially impossible for providers like WhatsApp and Apple to operate services unless they conduct “best practices” for scanning their systems for CSAM.

Since there are no “best practices” in existence, and the techniques for doing this while preserving privacy are completely unknown, the bill creates a government-appointed committee that will tell technology providers what technology they have to use. The specific nature of the committee is byzantine and described within the bill itself. Needless to say, the makeup of the committee, which can include as few as zero data security experts, ensures that end-to-end encryption will almost certainly not be considered a best practice.

So in short: this bill is a backdoor way to allow the government to ban encryption on commercial services. And even more beautifully: it doesn’t come out and actually ban the use of encryption, it just makes encryption commercially infeasible for major providers to deploy, ensuring that they’ll go bankrupt if they try to disobey this committee’s recommendations.

It’s the kind of bill you’d come up with if you knew the thing you wanted to do was unconstitutional and highly unpopular, and you basically didn’t care.

Or listen to Stanford’s Riana Pfefferkorn explain how the bill’s real target is encryption. As she explains, the authors of the bill (including Blumenthal) had ample opportunity to put in language that would make it clear that it does not target encryption. They chose not to.

As for the “subterfuge” Blumenthal calls out, the only real “subterfuge” here is by Blumenthal and Graham in crafting this bill with the help of the DOJ. Remember, just the day before the DOJ flat out said that 230 should be conditioned on letting law enforcement into any encrypted communications. So if Blumenthal really means that this bill won’t impact encryption he should write it into the fucking bill. Because as it’s structured right now, in order to keep 230 protections, internet companies will have to follow a set of “best practices” put together by a panel headed by the Attorney General who has said multiple times that he doesn’t believe real encryption should be allowed on these services.

So if Blumenthal wants us to believe that his bill won’t undermine encryption, he should address it explicitly, rather than lying about it in a Senate hearing, while simultaneously claiming that Facebook (and every other company) can do the impossible in giving law enforcement backdoor access while keeping encrypted data secure.

Permalink | Comments | Email This Story

Techdirt.