law

How the Greek cell phone network was compromised

From Vassilis Prevelakis and Diomidis Spinellis’ “The Athens Affair” (IEEE Spectrum: July 2007):

On 9 March 2005, a 38-year-old Greek electrical engineer named Costas Tsalikidis was found hanged in his Athens loft apartment, an apparent suicide. It would prove to be merely the first public news of a scandal that would roil Greece for months.

The next day, the prime minister of Greece was told that his cellphone was being bugged, as were those of the mayor of Athens and at least 100 other high-ranking dignitaries, including an employee of the U.S. embassy.

The victims were customers of Athens-based Vodafone-Panafon, generally known as Vodafone Greece, the country’s largest cellular service provider; Tsalikidis was in charge of network planning at the company.

We now know that the illegally implanted software, which was eventually found in a total of four of Vodafone’s Greek switches, created parallel streams of digitized voice for the tapped phone calls. One stream was the ordinary one, between the two calling parties. The other stream, an exact copy, was directed to other cellphones, allowing the tappers to listen in on the conversations on the cellphones, and probably also to record them. The software also routed location and other information about those phone calls to these shadow handsets via automated text messages.

The day after Tsalikidis’s body was discovered, CEO Koronias met with the director of the Greek prime minister’s political office. Yiannis Angelou, and the minister of public order, Giorgos Voulgarakis. Koronias told them that rogue software used the lawful wiretapping mechanisms of Vodafone’s digital switches to tap about 100 phones and handed over a list of bugged numbers. Besides the prime minister and his wife, phones belonging to the ministers of national defense, foreign affairs, and justice, the mayor of Athens, and the Greek European Union commissioner were all compromised. Others belonged to members of civil rights organizations, peace activists, and antiglobalization groups; senior staff at the ministries of National Defense, Public Order, Merchant Marine, and Foreign Affairs; the New Democracy ruling party; the Hellenic Navy general staff; and a Greek-American employee at the United States Embassy in Athens.

First, consider how a phone call, yours or a prime minister’s, gets completed. Long before you dial a number on your handset, your cellphone has been communicating with nearby cellular base stations. One of those stations, usually the nearest, has agreed to be the intermediary between your phone and the network as a whole. Your telephone handset converts your words into a stream of digital data that is sent to a transceiver at the base station.

The base station’s activities are governed by a base station controller, a special-purpose computer within the station that allocates radio channels and helps coordinate handovers between the transceivers under its control.

This controller in turn communicates with a mobile switching center that takes phone calls and connects them to call recipients within the same switching center, other switching centers within the company, or special exchanges that act as gateways to foreign networks, routing calls to other telephone networks (mobile or landline). The mobile switching centers are particularly important to the Athens affair because they hosted the rogue phone-tapping software, and it is there that the eavesdropping originated. They were the logical choice, because they are at the heart of the network; the intruders needed to take over only a few of them in order to carry out their attack.

Both the base station controllers and the switching centers are built around a large computer, known as a switch, capable of creating a dedicated communications path between a phone within its network and, in principle, any other phone in the world. Switches are holdovers from the 1970s, an era when powerful computers filled rooms and were built around proprietary hardware and software. Though these computers are smaller nowadays, the system’s basic architecture remains largely unchanged.

Like most phone companies, Vodafone Greece uses the same kind of computer for both its mobile switching centers and its base station controllers—Ericsson’s AXE line of switches. A central processor coordinates the switch’s operations and directs the switch to set up a speech or data path from one phone to another and then routes a call through it. Logs of network activity and billing records are stored on disk by a separate unit, called a management processor.

The key to understanding the hack at the heart of the Athens affair is knowing how the Ericsson AXE allows lawful intercepts—what are popularly called “wiretaps.” Though the details differ from country to country, in Greece, as in most places, the process starts when a law enforcement official goes to a court and obtains a warrant, which is then presented to the phone company whose customer is to be tapped.

Nowadays, all wiretaps are carried out at the central office. In AXE exchanges a remote-control equipment subsystem, or RES, carries out the phone tap by monitoring the speech and data streams of switched calls. It is a software subsystem typically used for setting up wiretaps, which only law officers are supposed to have access to. When the wiretapped phone makes a call, the RES copies the conversation into a second data stream and diverts that copy to a phone line used by law enforcement officials.

Ericsson optionally provides an interception management system (IMS), through which lawful call intercepts are set up and managed. When a court order is presented to the phone company, its operators initiate an intercept by filling out a dialog box in the IMS software. The optional IMS in the operator interface and the RES in the exchange each contain a list of wiretaps: wiretap requests in the case of the IMS, actual taps in the RES. Only IMS-initiated wiretaps should be active in the RES, so a wiretap in the RES without a request for a tap in the IMS is a pretty good indicator that an unauthorized tap has occurred. An audit procedure can be used to find any discrepancies between them.

It took guile and some serious programming chops to manipulate the lawful call-intercept functions in Vodafone’s mobile switching centers. The intruders’ task was particularly complicated because they needed to install and operate the wiretapping software on the exchanges without being detected by Vodafone or Ericsson system administrators. From time to time the intruders needed access to the rogue software to update the lists of monitored numbers and shadow phones. These activities had to be kept off all logs, while the software itself had to be invisible to the system administrators conducting routine maintenance activities. The intruders achieved all these objectives.

The challenge faced by the intruders was to use the RES’s capabilities to duplicate and divert the bits of a call stream without using the dialog-box interface to the IMS, which would create auditable logs of their activities. The intruders pulled this off by installing a series of patches to 29 separate blocks of code, according to Ericsson officials who testified before the Greek parliamentary committee that investigated the wiretaps. This rogue software modified the central processor’s software to directly initiate a wiretap, using the RES’s capabilities. Best of all, for them, the taps were not visible to the operators, because the IMS and its user interface weren’t used.

The full version of the software would have recorded the phone numbers being tapped in an official registry within the exchange. And, as we noted, an audit could then find a discrepancy between the numbers monitored by the exchange and the warrants active in the IMS. But the rogue software bypassed the IMS. Instead, it cleverly stored the bugged numbers in two data areas that were part of the rogue software’s own memory space, which was within the switch’s memory but isolated and not made known to the rest of the switch.

That by itself put the rogue software a long way toward escaping detection. But the perpetrators hid their own tracks in a number of other ways as well. There were a variety of circumstances by which Vodafone technicians could have discovered the alterations to the AXE’s software blocks. For example, they could have taken a listing of all the blocks, which would show all the active processes running within the AXE—similar to the task manager output in Microsoft Windows or the process status (ps) output in Unix. They then would have seen that some processes were active, though they shouldn’t have been. But the rogue software apparently modified the commands that list the active blocks in a way that omitted certain blocks—the ones that related to intercepts—from any such listing.

In addition, the rogue software might have been discovered during a software upgrade or even when Vodafone technicians installed a minor patch. It is standard practice in the telecommunications industry for technicians to verify the existing block contents before performing an upgrade or patch. We don’t know why the rogue software was not detected in this way, but we suspect that the software also modified the operation of the command used to print the checksums—codes that create a kind of signature against which the integrity of the existing blocks can be validated. One way or another, the blocks appeared unaltered to the operators.

Finally, the software included a back door to allow the perpetrators to control it in the future. This, too, was cleverly constructed to avoid detection. A report by the Hellenic Authority for the Information and Communication Security and Privacy (the Greek abbreviation is ADAE) indicates that the rogue software modified the exchange’s command parser—a routine that accepts commands from a person with system administrator status—so that innocuous commands followed by six spaces would deactivate the exchange’s transaction log and the alarm associated with its deactivation, and allow the execution of commands associated with the lawful interception subsystem. In effect, it was a signal to allow operations associated with the wiretaps but leave no trace of them. It also added a new user name and password to the system, which could be used to obtain access to the exchange.

…Security experts have also discovered other rootkits for general-purpose operating systems, such as Linux, Windows, and Solaris, but to our knowledge this is the first time a rootkit has been observed on a special-purpose system, in this case an Ericsson telephone switch.

So the investigators painstakingly reconstructed an approximation of the original PLEX source files that the intruders developed. It turned out to be the equivalent of about 6500 lines of code, a surprisingly substantial piece of software.

How the Greek cell phone network was compromised Read More »

The latest on electronic voting machines

From James Turner’s interview with Dr. Barbara Simons, past President of the Association for Computing Machinery & recent appointee to the Advisory Board of the Federal Election Assistance Commission, at “A 2008 e-Voting Wrapup with Dr. Barbara Simons” (O’Reilly Media: 7 November 2008):

[Note from Scott: headers added by me]

Optical Scan: Good & Bad

And most of the voting in Minnesota was done on precinct based optical scan machines, paper ballot which is then fed into the optical scanner at the precinct. And the good thing about that is it gives the voter immediate feedback if there is any problem, such as over-voting, voting twice for a candidate.

Well there’s several problems; one is–well first of all, as you say because these things have computers in them they can be mis-programmed, there can be software bugs. You could conceivably have malicious code. You could have the machines give you a different count from the right one. There was a situation back in the 2004 race where Gephardt in one of the Primaries–Gephardt received a large number of votes after he had withdrawn from the race. And this was done–using paper ballots, using optical scan paper ballots. I don’t know if it was this particular brand or not. And when they were recounted it was discovered that in fact that was the wrong result; that he had gotten fewer votes. Now I never saw an explanation for what happened but my guess is that whoever programmed these machines had mistakenly assigned the slot that was for Kerry to Gephardt and the slot that was for Gephardt to Kerry; that’s my guess. Now I don’t know if that’s true but if that did happen I think there’s very little reason to believe it was malicious because there was really nothing to be gained by doing that. So I think it was just an honest error but of course errors can occur.

DRE Studies

Ohio conducted a major study of electronic voting machines called the Everest Study which was commissioned by the current Secretary of State Bruner, Secretary of State Bruner and this study uncovered huge problems with these–with most of these voting systems, these touch screen voting systems. They were found to be insecure, unreliable, difficult to use; basically a similar study had been studied in California not too much earlier called the Top to Bottom Review and the Ohio study confirmed every–all of the problems that had been uncovered in California and found additional problems, so based on that there was a push to get rid of a lot of these machines.

States Using DREs

Maryland and Georgia are entirely touch screen States and so is New Jersey. In Maryland they’re supposed to replace them with optical scan paper ballots by 2010 but there’s some concern that there may not be the funding to do that. In fact Maryland and Georgia both use Diebold which is now called Premier, paperless touch screen voting machines; Georgia started using them in 2002 and in that race, that’s the race in which Max Cleveland, the Democratic Senator, paraplegic from–the Vietnam War Vet was defeated and I know that there are some people who questioned the outcome of that race because the area polls had showed him winning. And because that race–those machines are paperless there was no way to check the outcome. Another thing that was of a concern in Maryland in 2002 was that–I mean in Georgia in 2002 was that there were last minute software patches being added to the machines just before the Election and the software patches hadn’t really been inspected by any kind of independent agency.

More on Optical Scans

Well I think scanned ballots–well certainly scanned ballots give you a paper trail and they give you a good paper trail. The kind of paper trail you want and it’s not really a paper trail; it’s paper ballots because they are the ballots. What you want is you want it to be easy to audit and recount an election. And I think that’s something that really people hadn’t taken into consideration early on when a lot of these machines were first designed and purchased.

Disabilities

One of the things that was investigated in California when they did the Top to Bottom Review was just how easy is it for people with disabilities to use these touch screen machines? Nobody had ever done that before and these test results came back very negatively. If you look at the California results they’re very negative on these touch screen machines. In many cases people in wheelchairs had a very difficult time being able to operate them correctly, people who were blind sometimes had troubles understanding what was being said or things were said too loudly or too softly or they would get confused about the instructions or some of the ways that they had for manual inputting; their votes were confusing.

There is a–there are these things called Ballot Generating Devices which are not what we generally refer to as touch screen machines although they can be touch screen. The most widely used one is called the Auto Mark. And the way the Auto Mark works is you take a paper ballots, one of these optical scan ballots and you insert it into the Auto Mark and then it operates much the same way that these other paperless–potentially paperless touch screen machines work. It has a headphone–headset so that a blind voter can use it; it has–it’s possible for somebody in a wheelchair to vote, although in fact you don’t have to use this if you’re in a wheelchair; you can vote optical scan clearly. Somebody who has severe mobility impairments can vote on these machines using a sip, puff device where if you sip it’s a zero or one and if you puff it’s the opposite or a yes or a no. And these–the Auto Mark was designed with disability people in mind from early on. And it faired much better in the California tests. What it does is at the end when the voter with disabilities is finished he or she will say okay cast my ballot. At that point the Auto Mark simply marks the optical scan ballot; it just marks it. And then you have an optical scan ballot that can be read by an optical scanner. There should be no problems with it because it’s been generated by a machine. And you have a paper ballot that can be recounted.

Problems with DREs vs Optical Scans

One of the things to keep in–there’s a couple things to keep in mind when thinking about replacing these systems. The first is that these direct recording electronic systems or touch screen systems as they’re called they have to have–the States and localities that buy these systems have to have maintenance contracts with the vendors because they’re very complicated systems to maintain and of course the software is a secret. So some of these contracts are quite costly and these are ongoing expenses with these machines. In addition, because they have software in them they have to be securely stored and they have to be securely delivered and those create enormous problems especially when you have to worry about delivering large numbers of machines to places prior to the election. Frequently these machines end up staying in people’s garages or in churches for periods of time when they’re relatively insecure.

And you need far fewer scanners; the security issues with scanners are not as great because you can do an audit and a recount, so altogether it just seems to me that moving to paper based optical scan systems with precinct scanners so that the voter gets feedback on the ballot if the voter votes twice for President; the ballot is kicked out and the voter can vote a new ballot.

And as I say there is the Auto Mark for voters with disabilities to use; there’s also another system called Populex but that’s not as widely used as Auto Mark. There could be new systems coming forward.

1/2 of DREs Broken in Pennsylvania on Election Day

Editor’s Note: Dr. Simons wrote me later to say: “Many Pennsylvania polling places opened on election day with half or more of their voting machines broken — so they used emergency paper ballots until they could fix their machines.”

The latest on electronic voting machines Read More »

Tracking children who might commit a crime later

From Mark Townsend and Anushka Asthana’s “Put young children on DNA list, urge police” (The Guardian: 16 March 2008):

Primary school children should be eligible for the DNA database if they exhibit behaviour indicating they may become criminals in later life, according to Britain’s most senior police forensics expert.

Gary Pugh, director of forensic sciences at Scotland Yard and the new DNA spokesman for the Association of Chief Police Officers (Acpo), said a debate was needed on how far Britain should go in identifying potential offenders, given that some experts believe it is possible to identify future offending traits in children as young as five.

Tracking children who might commit a crime later Read More »

Craigslist “everything is free!” scams

Robert Salisbury

From “Man scammed by Craigslist ad” (The Seattle Times: 24 March 2008):

The ads popped up Saturday afternoon, saying the owner of a Jacksonville home was forced to leave the area suddenly and his belongings, including a horse, were free for the taking, said Jackson County sheriff’s Detective Sgt. Colin Fagan.

But Robert Salisbury had no plans to leave. The independent contractor was at Emigrant Lake when he got a call from a woman who had stopped by his house to claim his horse.

On his way home he stopped a truck loaded down with his work ladders, lawn mower and weed eater.

“I informed them I was the owner, but they refused to give the stuff back,” Salisbury said. “They showed me the Craigslist printout and told me they had the right to do what they did.”

The driver sped away after rebuking Salisbury. On his way home he spotted other cars filled with his belongings.

Once home he was greeted by close to 30 people rummaging through his barn and front porch.

From “Couple held in Craigslist theft case” (The Seattle Times: 1 April 2008):

Police on Monday arrested a Medford couple who allegedly used hoax postings on Craigslist to cover up their own thefts from a rural Jacksonville residence later inundated by Craigslist readers who thought the house’s contents were free pickings for the taking.

Amber D. Herbert, 28, and Brandon D. Herbert, 29, were taken into custody on burglary, theft and computer crime charges involving the Craigslist hoax that drew international attention and cost the victim several thousand dollars, authorities said.

…the Herberts told police they took several saddles from the property and sold them over the Internet.

Laurie Raye

From “Tacoma woman’s house emptied after craigslist hoax” (The Seattle Times: 5 April 2007):

Laurie Raye said she had everything stripped from her home after someone placed a fake ad on the San Francisco-based Internet site, a collection of online classifieds.

Raye had recently evicted a tenant and cleaned out the rental.

The ad posted last weekend welcomed people to take for free anything they wanted from the home. It has since been pulled from the site, but not before the residence was stripped of light fixtures, the hot water heater and the kitchen sink.

Neighbors said they saw strangers hauling items away, apparently looking for salvage material.

Even the front door and a vinyl window were pilfered, Raye said.

“In the ad, it said come and take what you want. Everything is free,” she said. “Please help yourself to anything on the property.”

From “Woman charged after Craigslist posting resulted in a house stripped” (The Seattle Times: 17 May 2007):

Pierce County prosecutors have filed charges against the niece of a woman whose house was stripped clean after a Craigslist.org posting advertised that everything in the home was free.

Nichole Blackwell, 28, was charged with second-degree burglary, malicious mischief and criminal impersonation for allegedly posting an ad that read, “Moving out … House being demolished. Come and take whatever you want, nothing is off limits,” on the online classifieds Web site, according to charging documents from Pierce County Superior Court.

It wasn’t until six days after the ad was posted that Laurie Raye, owner of the home in the 1200 block of East 64th Street in Tacoma, checked on the house to find it stripped.

Nearly everything that wasn’t bolted down — and some stuff that was — was taken.

People, thinking that they could remove whatever they wanted, grabbed the refrigerator, front door and kitchen sink, among other things, according to the documents.

Police believe Blackwell disliked Raye and was particularly upset because Raye had recently evicted Blackwell’s mother from the house.

Craigslist “everything is free!” scams Read More »

Cheating, security, & theft in virtual worlds and online games

From Federico Biancuzzi’s interview with security researchers Greg Hoglund & Gary McGraw, authors of Exploiting Online Games, in “Real Flaws in Virtual Worlds” (SecurityFocus: 20 December 2007):

The more I dug into online game security, the more interesting things became. There are multiple threads intersecting in our book: hackers who cheat in online games and are not detected can make tons of money selling virtual items in the middle market; the law says next to nothing about cheating in online games, so doing so is really not illegal; the kinds of technological attacks and exploits that hackers are using to cheat in online games are an interesting bellwether; software is evolving to look very much like massively distributed online games look today with thick clients and myriad time and state related security problems. [Emphasis added]

In Brazil, a criminal gang even kidnapped a star MMORPG player in order to take away his character, and its associated virtual wealth.

The really interesting thing about online game security is that the attackers are in most cases after software running on their own machine, not software running on somebody else’s box. That’s a real change. Interestingly, the laws we have developed in computer security don’t have much to say about cheating in a game or hacking software on your own PC.

Cheating, security, & theft in virtual worlds and online games Read More »

Lots of good info about the FBI’s far-reaching wiretapping of US phone systems

From Ryan Singel’s “Point, Click … Eavesdrop: How the FBI Wiretap Net Operates” (Wired News: 29 August 2007):

The FBI has quietly built a sophisticated, point-and-click surveillance system that performs instant wiretaps on almost any communications device, according to nearly a thousand pages of restricted documents newly released under the Freedom of Information Act.

The surveillance system, called DCSNet, for Digital Collection System Network, connects FBI wiretapping rooms to switches controlled by traditional land-line operators, internet-telephony providers and cellular companies. It is far more intricately woven into the nation’s telecom infrastructure than observers suspected.

It’s a “comprehensive wiretap system that intercepts wire-line phones, cellular phones, SMS and push-to-talk systems,” says Steven Bellovin, a Columbia University computer science professor and longtime surveillance expert.

DCSNet is a suite of software that collects, sifts and stores phone numbers, phone calls and text messages. The system directly connects FBI wiretapping outposts around the country to a far-reaching private communications network.

The $10 million DCS-3000 client, also known as Red Hook, handles pen-registers and trap-and-traces, a type of surveillance that collects signaling information — primarily the numbers dialed from a telephone — but no communications content. (Pen registers record outgoing calls; trap-and-traces record incoming calls.)

DCS-6000, known as Digital Storm, captures and collects the content of phone calls and text messages for full wiretap orders.

A third, classified system, called DCS-5000, is used for wiretaps targeting spies or terrorists.

What DCSNet Can Do

Together, the surveillance systems let FBI agents play back recordings even as they are being captured (like TiVo), create master wiretap files, send digital recordings to translators, track the rough location of targets in real time using cell-tower information, and even stream intercepts outward to mobile surveillance vans.

FBI wiretapping rooms in field offices and undercover locations around the country are connected through a private, encrypted backbone that is separated from the internet. Sprint runs it on the government’s behalf.

The network allows an FBI agent in New York, for example, to remotely set up a wiretap on a cell phone based in Sacramento, California, and immediately learn the phone’s location, then begin receiving conversations, text messages and voicemail pass codes in New York. With a few keystrokes, the agent can route the recordings to language specialists for translation.

The numbers dialed are automatically sent to FBI analysts trained to interpret phone-call patterns, and are transferred nightly, by external storage devices, to the bureau’s Telephone Application Database, where they’re subjected to a type of data mining called link analysis.

The numerical scope of DCSNet surveillance is still guarded. But we do know that as telecoms have become more wiretap-friendly, the number of criminal wiretaps alone has climbed from 1,150 in 1996 to 1,839 in 2006. That’s a 60 percent jump. And in 2005, 92 percent of those criminal wiretaps targeted cell phones, according to a report published last year.

These figures include both state and federal wiretaps, and do not include antiterrorism wiretaps, which dramatically expanded after 9/11. They also don’t count the DCS-3000’s collection of incoming and outgoing phone numbers dialed. Far more common than full-blown wiretaps, this level of surveillance requires only that investigators certify that the phone numbers are relevant to an investigation.

In the 1990s, the Justice Department began complaining to Congress that digital technology, cellular phones and features like call forwarding would make it difficult for investigators to continue to conduct wiretaps. Congress responded by passing the Communications Assistance for Law Enforcement Act, or CALEA, in 1994, mandating backdoors in U.S. telephone switches.

CALEA requires telecommunications companies to install only telephone-switching equipment that meets detailed wiretapping standards. Prior to CALEA, the FBI would get a court order for a wiretap and present it to a phone company, which would then create a physical tap of the phone system.

With new CALEA-compliant digital switches, the FBI now logs directly into the telecom’s network. Once a court order has been sent to a carrier and the carrier turns on the wiretap, the communications data on a surveillance target streams into the FBI’s computers in real time.

The released documents suggest that the FBI’s wiretapping engineers are struggling with peer-to-peer telephony provider Skype, which offers no central location to wiretap, and with innovations like caller-ID spoofing and phone-number portability.

Despite its ease of use, the new technology is proving more expensive than a traditional wiretap. Telecoms charge the government an average of $2,200 for a 30-day CALEA wiretap, while a traditional intercept costs only $250, according to the Justice Department inspector general. A federal wiretap order in 2006 cost taxpayers $67,000 on average, according to the most recent U.S. Court wiretap report.

What’s more, under CALEA, the government had to pay to make pre-1995 phone switches wiretap-friendly. The FBI has spent almost $500 million on that effort, but many traditional wire-line switches still aren’t compliant.

Processing all the phone calls sucked in by DCSNet is also costly. At the backend of the data collection, the conversations and phone numbers are transferred to the FBI’s Electronic Surveillance Data Management System, an Oracle SQL database that’s seen a 62 percent growth in wiretap volume over the last three years — and more than 3,000 percent growth in digital files like e-mail. Through 2007, the FBI has spent $39 million on the system, which indexes and analyzes data for agents, translators and intelligence analysts.

Lots of good info about the FBI’s far-reaching wiretapping of US phone systems Read More »

Matching voters with their votes, thanks to voting machines

From Declan McCullagh’s “E-voting predicament: Not-so-secret ballots” (CNET News: 20 August 2007):

Two Ohio activists have discovered that e-voting machines made by Election Systems and Software and used across the country produce time-stamped paper trails that permit the reconstruction of an election’s results — including allowing voter names to be matched to their actual votes.

Ohio law permits anyone to walk into a county election office and obtain two crucial documents: a list of voters in the order they voted, and a time-stamped list of the actual votes. “We simply take the two pieces of paper together, merge them, and then we have which voter voted and in which way,” said James Moyer, a longtime privacy activist and poll worker who lives in Columbus, Ohio.
Click for gallery

Once the two documents are merged, it’s easy enough to say that the first voter who signed in is very likely going to be responsible for the first vote cast, and so on.

Other suppliers of electronic voting machines say they do not include time stamps in their products that provide voter-verified paper audit trails. Sequoia Voting Systems and Hart Intercivic both said they don’t. A spokesman for Diebold Election Systems (now Premier Election Solutions), said they don’t for security and privacy reasons…

David Wagner, a professor of computer science at the University of California, Berkeley, said electronic storage of votes in the order that voters cast them is a recurring problem with e-voting machines.

“This summer I learned that Diebold’s AV-TSX touchscreen voting machine stores a time stamp showing the time which each vote was cast–down to the millisecond–along with the electronic record of that vote,” Wagner said in an e-mail message. “In particular, we discovered this as part of the California top-to-bottom review and reported it in our public report on the Diebold voting system. However, I had no idea that this kind of information was available to the public as a public record.”

Matching voters with their votes, thanks to voting machines Read More »

If concerts bring money in for the music biz, what happens when concerts get smaller?

From Jillian Cohen’s “The Show Must Go On” (The American: March/April 2008):

You can’t steal a concert. You can’t download the band—or the sweaty fans in the front row, or the merch guy, or the sound tech—to your laptop to take with you. Concerts are not like albums—easy to burn, copy, and give to your friends. If you want to share the concert-going experience, you and your friends all have to buy tickets. For this reason, many in the ailing music industry see concerts as the next great hope to revive their business.

It’s a blip that already is fading, to the dismay of the major record labels. CD sales have dropped 25 percent since 2000 and digital downloads haven’t picked up the slack. As layoffs swept the major labels this winter, many industry veterans turned their attention to the concert business, pinning their hopes on live performances as a way to bolster their bottom line.

Concerts might be a short-term fix. As one national concert promoter says, “The road is where the money is.” But in the long run, the music business can’t depend on concert tours for a simple, biological reason: the huge tour profits that have been generated in the last few decades have come from performers who are in their 40s, 50s, and 60s. As these artists get older, they’re unlikely to be replaced, because the industry isn’t investing in new talent development.

When business was good—as it was when CD sales grew through much of the 1990s—music labels saw concert tours primarily as marketing vehicles for albums. Now, they’re seizing on the reverse model. Tours have become a way to market the artist as a brand, with the fan clubs, limited-edition doodads, and other profitable products and services that come with the territory.

“Overall, it’s not a pretty picture for some parts of the industry,” JupiterResearch analyst David Card wrote in November when he released a report on digital music sales. “Labels must act more like management companies, and tap into the broadest collection of revenue streams and licensing as possible,” he said. “Advertising and creative packaging and bundling will have to play a bigger role than they have. And the $3 billion-plus touring business is not exactly up for grabs—it’s already competitive and not very profitable. Music companies of all types need to use the Internet for more cost-effective marketing, and A&R [artist development] risk has to be spread more fairly.”

The ‘Heritage Act’ Dilemma

Even so, belief in the touring business was so strong last fall that Madonna signed over her next ten years to touring company Live Nation—the folks who put on megatours for The Rolling Stones, The Police, and other big headliners—in a deal reportedly worth more than $120 million. The Material Girl’s arrangement with Live Nation is known in the industry as a 360-degree deal. Such deals may give artists a big upfront payout in exchange for allowing record labels or, in Madonna’s case, tour producers to profit from all aspects of their business, including touring, merchandise, sponsorships, and more.

While 360 deals may work for big stars, insiders warn that they’re not a magic bullet that will save record labels from their foundering, top-heavy business model. Some artists have done well by 360 contracts, including alt-metal act Korn and British pop sensation Robbie Williams. With these successes in mind, some tout the deals as a way for labels to recoup money they’re losing from downloads and illegal file sharing. But the artists who are offered megamillions for a piece of their brand already have built it through years of album releases, heavy touring, and careful fan-base development.

Not all these deals are good ones, says Bob McLynn, who manages pop-punk act Fall Out Boy and other young artists through his agency, Crush Management. Labels still have a lot to offer, he says. They pay for recording sessions, distribute CDs, market a band’s music, and put up money for touring, music-video production, and other expenses. But in exchange, music companies now want to profit from more than a band’s albums and recording masters. “The artist owns the brand, and now the labels—because they can’t sell as many albums—are trying to get in on the brand,” McLynn says. “To be honest, if an artist these days is looking for a traditional major-label deal for several hundred thousand dollars, they will have to be willing to give up some of that brand.

”For a young act, such offers may be enticing, but McLynn urges caution. “If they’re not going to give you a lot of money for it, it’s a mistake,” says the manager, who helped build Fall Out Boy’s huge teen fan base through constant touring and Internet marketing, only later signing the band to a big label. “I had someone from a major label ask me recently, ‘Hey, I have this new artist; can we convert the deal to a 360 deal?’” McLynn recalls. “I told him [it would cost] $2 million to consider it. He thought I was crazy; but I’m just saying, how is that crazy? If you want all these extra rights and if this artist does blow up, then that’s the best deal in the world for you. If you’re not taking a risk, why am I going to give you this? And if it’s not a lot of money, you’re not taking a risk.”

A concert-tour company’s margin is about 4 percent, Live Nation CEO Michael Rapino has said, while the take on income from concessions, T-shirts, and other merchandise sold at shows can be much higher. The business had a record-setting year in 2006, which saw The Rolling Stones, Madonna, U2, Barbra Streisand, and other popular, high-priced tours on the road. But in 2007, North American gross concert dollars dropped more than 10 percent to $2.6 billion, according to Billboard statistics. Concert attendance fell by more than 19 percent to 51 million. Fewer people in the stands means less merchandise sold and concession-stand food eaten.

Now add this wrinkle: if you pour tens of millions of dollars into a 360 deal, as major labels and Live Nation have done with their big-name stars, you will need the act to tour for a long time to recoup your investment. “For decades we’ve been fueled by acts from the ’60s,” says Gary Bongiovanni, editor of the touring-industry trade magazine Pollstar. Three decades ago, no one would have predicted that Billy Joel or Rod Stewart would still be touring today, Bongiovanni notes, yet the industry has come to depend on artists such as these, known as “heritage acts.” “They’re the ones that draw the highest ticket prices and biggest crowds for our year-end charts,” he says. Consider the top-grossing tours of 2006 and 2007: veterans such as The Rolling Stones, Rod Stewart, Barbra Streisand, and Roger Waters were joined by comparative youngsters Madonna, U2, and Bon Jovi. Only two of the 20 acts—former Mouseketeers Justin Timberlake and Christina Aguilera—were younger than 30.

These young stars, the ones who are prone to taking what industry observer Bob Lefsetz calls “media shortcuts,” such as appearing on MTV, may have less chance of developing real staying power. Lefsetz, formerly an entertainment lawyer and consultant to major labels, has for 20 years published an industry newsletter (now a blog) called the Lefsetz Letter. “Whatever a future [superstar] act will be, it won’t be as ubiquitous as the acts from the ’60s because we were all listening to Top 40 radio,” he says.

From the 1960s to the 1980s, music fans discovered new music primarily on the radio and purchased albums in record stores. The stations young people listened to might have played rock, country, or soul; but whatever the genre, DJs introduced listeners to the hits of tomorrow and guided them toward retail stores and concert halls.

Today, music is available in so many genres and subgenres, via so many distribution streams—including cell phones, social networking sites, iTunes, Pure Volume, and Limewire—that common ground rarely exists for post–Baby Boom fans. This in turn makes it harder for tour promoters to corral the tens of thousands of ticket holders they need to fill an arena. “More people can make music than ever before. They can get it heard, but it’s such a cacophony of noise that it will be harder to get any notice,” says Lefsetz.

Most major promoters don’t know how to capture young people’s interest and translate it into ticket sales, he says. It’s not that his students don’t listen to music, but that they seek to discover it online, from friends, or via virtual buzz. They’ll go out to clubs and hear bands, but they rarely attend big arena concerts. Promoters typically spend 40 percent to 50 percent of their promotional budgets on radio and newspaper advertising, Barnet says. “High school and college students—what percentage of tickets do they buy? And you’re spending most of your advertising dollars on media that don’t even focus on those demographics.” Conversely, the readers and listeners of traditional media are perfect for high-grossing heritage tours. As long as tickets sell for those events, promoters won’t have to change their approach, Barnet says. Heritage acts also tend to sell more CDs, says Pollstar’s Bongiovanni. “Your average Rod Stewart fan is more likely to walk into a record store, if they can find one, than your average Fall Out Boy fan.”

Personally, [Live Nation’s chairman of global music and global touring, Arthur Fogel] said, he’d been disappointed in the young bands he’d seen open for the headliners on Live Nation’s big tours. Live performance requires a different skill set from recorded tracks. It’s the difference between playing music and putting on a show, he said. “More often than not, I find young bands get up and play their music but are not investing enough time or energy into creating that show.” It’s incumbent on the industry to find bands that can rise to the next level, he added. “We aren’t seeing that development that’s creating the next generation of stadium headliners. Hopefully that will change.”

Live Nation doesn’t see itself spearheading such a change, though. In an earlier interview with Billboard magazine, Rapino took a dig at record labels’ model of bankrolling ten bands in the hope that one would become a success. “We don’t want to be in the business of pouring tens of millions of dollars into unknown acts, throwing it against the wall and then hoping that enough sticks that we only lose some of our money,” he said. “It’s not part of our business plan to be out there signing 50 or 60 young acts every year.”

And therein lies the rub. If the big dog in the touring pack won’t take responsibility for nurturing new talent and the labels have less capital to invest in artist development, where will the future megatour headliners come from?

Indeed, despite its all-encompassing moniker, the 360 deal isn’t the only option for musicians, nor should it be. Some artists may find they need the distribution reach and bankroll that a traditional big-label deal provides. Others might negotiate with independent labels for profit sharing or licensing arrangements in which they’ll retain more control of their master recordings. Many will earn the bulk of their income from licensing their songs for use on TV shows, movie soundtracks, and video games. Some may take an entirely do-it-yourself approach, in which they’ll write, produce, perform, and distribute all of their own music—and keep any of the profits they make.

There are growing signs of this transition. The Eagles recently partnered with Wal-Mart to give the discount chain exclusive retail-distribution rights to the band’s latest album. Paul McCartney chose to release his most recent record through Starbucks, and last summer Prince gave away his newest CD to London concertgoers and to readers of a British tabloid. And in a move that earned nearly as much ink as Madonna’s 360 deal, rock act Radiohead let fans download its new release directly from the band’s website for whatever price listeners were willing to pay. Though the numbers are debated, one source, ComScore, reported that in the first month 1.2 million people downloaded the album. About 40 percent paid for it, at an average of about $6 each—well above the usual cut an artist would get in royalties. The band also self-released the album in an $80 limited-edition package and, months later, as a CD with traditional label distribution. Such a move wouldn’t work for just any artist. Radiohead had the luxury of a fan base that it developed over more than a dozen years with a major label. But the band’s experiment showed creativity and adaptability.

If concerts bring money in for the music biz, what happens when concerts get smaller? Read More »

Details on the Storm & Nugache botnets

From Dennis Fisher’s “Storm, Nugache lead dangerous new botnet barrage” (SearchSecurity.com: 19 December 2007):

[Dave Dittrich, a senior security engineer and researcher at the University of Washington in Seattle], one of the top botnet researchers in the world, has been tracking botnets for close to a decade and has seen it all. But this new piece of malware, which came to be known as Nugache, was a game-changer. With no C&C server to target, bots capable of sending encrypted packets and the possibility of any peer on the network suddenly becoming the de facto leader of the botnet, Nugache, Dittrich knew, would be virtually impossible to stop.

Dittrich and other researchers say that when they analyze the code these malware authors are putting out, what emerges is a picture of a group of skilled, professional software developers learning from their mistakes, improving their code on a weekly basis and making a lot of money in the process.

The way that Storm, Nugache and other similar programs make money for their creators is typically twofold. First and foremost, Storm’s creator controls a massive botnet that he can use to send out spam runs, either for himself or for third parties who pay for the service. Storm-infected PCs have been sending out various spam messages, including pump-and-dump stock scams, pitches for fake medications and highly targeted phishing messages, throughout 2007, and by some estimates were responsible for more than 75% of the spam on the Internet at certain points this year.

Secondly, experts say that Storm’s author has taken to sectioning off his botnet into smaller pieces and then renting those subnets out to other attackers. Estimates of the size of the Storm network have ranged as high as 50 million PCs, but Brandon Enright, a network security analyst at the University of California at San Diego, who wrote a tool called Stormdrain to locate and count infect machines, put the number at closer to 20,000. Dittrich estimates that the size of the Nugache network was roughly equivalent to Enright’s estimates for Storm.

“The Storm network has a team of very smart people behind it. They change it constantly. When the attacks against searching started to be successful, they completely changed how commands are distributed in the network,” said Enright. “If AV adapts, they re-adapt. If attacks by researchers adapt, they re-adapt. If someone tries to DoS their distribution system, they DoS back.”

The other worrisome detail in all of this is that there’s significant evidence that the authors of these various pieces of malware are sharing information and techniques, if not collaborating outright.

“I’m pretty sure that there are tactics being shared between the Nugache and Storm authors,” Dittrich said. “There’s a direct lineage from Sdbot to Rbot to Mytob to Bancos. These guys can just sell the Web front-end to these things and the customers can pick their options and then just hit go.”

Once just a hobby for devious hackers, writing malware is now a profession and its products have helped create a global shadow economy. That infrastructure stretches from the mob-controlled streets of Moscow to the back alleys of Malaysia to the office parks of Silicon Valley. In that regard, Storm, Nugache and the rest are really just the first products off the assembly line, the Model Ts of P2P malware.

Details on the Storm & Nugache botnets Read More »

Google PageRank explained

From Danny Sullivan’s “What Is Google PageRank? A Guide For Searchers & Webmasters” (Search Engine Land: 26 April 2007):

Let’s start with what Google says. In a nutshell, it considers links to be like votes. In addition, it considers that some votes are more important than others. PageRank is Google’s system of counting link votes and determining which pages are most important based on them. These scores are then used along with many other things to determine if a page will rank well in a search.

PageRank is only a score that represents the importance of a page, as Google estimates it (By the way, that estimate of importance is considered to be Google’s opinion and protected in the US by the First Amendment. When Google was once sued over altering PageRank scores for some sites, a US court ruled: “PageRanks are opinions–opinions of the significance of particular Web sites as they correspond to a search query….the court concludes Google’s PageRanks are entitled to full constitutional protection.)

Google PageRank explained Read More »

Surveillance cameras don’t reduce crime

From BBC News’ “CCTV boom ‘failing to cut crime’” (6 May 2008):

Huge investment in closed-circuit TV technology has failed to cut UK crime, a senior police officer has warned.

Det Ch Insp Mick Neville said the system was an “utter fiasco” – with only 3% of London’s street robberies being solved using security cameras.

Although Britain had more cameras than any other European country, he said “no thought” had gone into how to use them.

Speaking at the Security Document World Conference in London, Det Ch Insp Neville, the head of the Met’s Visual Images, Identifications and Detections Office (Viido), said one of the problems was that criminals were not afraid of cameras.

He also said more training was needed for officers who often avoided trawling through CCTV images “because it’s hard work”.

One study suggests there may be more than 4.2 million CCTV cameras in the UK – the majority on private property – but until Viido was set up in September 2006 there had been no dedicated police unit to deal with the collection and dissemination of CCTV evidence.

From Owen Bowcott’s “CCTV boom has failed to slash crime, say police” (The Guardian: 6 May 2008):

Massive investment in CCTV cameras to prevent crime in the UK has failed to have a significant impact, despite billions of pounds spent on the new technology, a senior police officer piloting a new database has warned. Only 3% of street robberies in London were solved using CCTV images, despite the fact that Britain has more security cameras than any other country in Europe.

Surveillance cameras don’t reduce crime Read More »

Virtual kidnappings a problem in Mexico

From Marc Lacey’s “Exploiting Real Fears With ‘Virtual Kidnappings’ ” (The New York Times: 29 April 2008):

MEXICO CITY — The phone call begins with the cries of an anguished child calling for a parent: “Mama! Papa!” The youngster’s sobs are quickly replaced by a husky male voice that means business.

“We’ve got your child,” he says in rapid-fire Spanish, usually adding an expletive for effect and then rattling off a list of demands that might include cash or jewels dropped off at a certain street corner or a sizable deposit made to a local bank.

The twist is that little Pablo or Teresa is safe and sound at school, not duct-taped to a chair in a rundown flophouse somewhere or stuffed in the back of a pirate taxi. But when the cellphone call comes in, that is not at all clear.

This is “virtual kidnapping,” the name being given to Mexico’s latest crime craze, one that has capitalized on the raw nerves of a country that has been terrorized by the real thing for years.

A new hot line set up to deal with the problem of kidnappings in which no one is actually kidnapped received more than 30,000 complaints from last December to the end of February, Joel Ortega, Mexico City’s police chief, announced recently. There have been eight arrests, and 3,415 telephone numbers have been identified as those used by extortionists, he said.

But identifying the phone numbers — they are now listed on a government Web site — has done little to slow the extortion calls. Nearly all the calls are from cellphones, most of them stolen, authorities say.

On top of that, many extortionists are believed to be pulling off the scams from prisons.

Authorities say hundreds of different criminal gangs are engaged in various telephone scams. Besides the false kidnappings, callers falsely tell people they have won cars or money. Sometimes, people are told to turn off their cellphones for an hour so the service can be repaired; then, relatives are called and told that the cellphone’s owner has been kidnapped. Ransom demands have even been made by text message.

No money changed hands in her case, but in many instances — as many as a third of the calls, one study showed — the criminals make off with some valuables. One estimate put the take from telephone scams in Mexico in the last six months at 186.6 million pesos, nearly $20 million.

Virtual kidnappings a problem in Mexico Read More »

Abuse of “terrorist” investigative powers

From BBC News’ “Council admits spying on family” (10 April 2008):

A council has admitted spying on a family using laws to track criminals and terrorists to find out if they were really living in a school catchment.

A couple and their three children were put under surveillance without their knowledge by Poole Borough Council for more than two weeks.

The council admitted using powers under the Regulation of Investigatory Powers Act (RIPA) on six occasions in total.

Three of those were for suspected fraudulent school place applications.

RIPA legislation allows councils to carry out surveillance if it suspects criminal activity.

On its website, the Home Office says: “The Regulation of Investigatory Powers Act (RIPA) legislates for using methods of surveillance and information gathering to help the prevention of crime, including terrorism.”

Abuse of “terrorist” investigative powers Read More »

6 reasons why “content” has been devalued

From Jonathan Handel’s “Is Content Worthless?” (The Huffington Post: 11 April 2008):

Everyone focuses on piracy, but there are actually six related reasons for the devaluation of content. The first is supply and demand. Demand — the number of consumers and their available leisure time – is relatively constant, but supply — online content — has grown enormously in the last decade. Some of this is professional content set free from boundaries of time and space, now available worldwide, anytime, and usually at no cost (whether legally or not). Even more is user generated content (UGC) — websites, blogs, YouTube videos — created by non-professionals who don’t care whether they get paid, and who themselves pay little or nothing to create and distribute it.

The second is the loss of physical form. It just seems natural to value a physical thing more highly than something intangible. Physical objects have been with us since the beginning of time; distributable intangible content has not. Perhaps for that reason, we tend to focus on per-unit costs (zero for an intangible such as a movie download), while forgetting about fixed costs (such as the cost of making the movie in the first place). Also, and critically, if you steal something tangible, you deny it to the owner; a purloined DVD is no longer available to the merchant, for instance. But if you misappropriate an intangible, it’s still there for others to use. …

The third reason is that acquiring content is increasingly frictionless. It’s often easier, particularly for young people, to access content on the Internet than through traditional means. …

Fourth is that most new media business models are ad-supported rather than pay per view or subscription. If there’s no cost to the user, why should consumers see the content as valuable, and if some content is free, why not all of it? …

Fifth is market forces in the technology industry. Computers, web services, and consumer electronic devices are more valuable when more content is available. In turn, these products make content more usable by providing new distribution channels. Traditional media companies are slow to adopt these new technologies, for fear of cannibalizing revenue from existing channels and offending powerful distribution partners. In contrast, non-professionals, long denied access to distribution, rush to use the new technologies, as do pirates of professional content. As a result, technological innovation reduces the market share of paid professional content.

Finally, there’s culture. A generation of users has grown up indifferent or hostile to copyright, particularly in music, movies and software.

6 reasons why “content” has been devalued Read More »

His employer’s misconfigured laptop gets him charged with a crime

From Robert McMillan’s “A misconfigured laptop, a wrecked life” (NetworkWorld: 18 June 2008):

When the Commonwealth of Massachusetts issued Michael Fiola a Dell Latitude in November 2006, it set off a chain of events that would cost him his job, his friends and about a year of his life, as he fought criminal charges that he had downloaded child pornography onto the laptop. Last week, prosecutors dropped their year-old case after a state investigation of his computer determined there was insufficient evidence to prove he had downloaded the files.

An initial state investigation had come to the opposite conclusion, and authorities took a second look at Fiola’s case only after he hired a forensic investigator to look at his laptop. What she found was scary, given the gravity of the charges against him: The Microsoft SMS (Systems Management Server) software used to keep his laptop up to date was not functional. Neither was its antivirus protection. And the laptop was crawling with malicious programs that were most likely responsible for the files on his PC.

Fiola had been an investigator with the state’s Department of Industrial Accidents, examining businesses to see whether they had worker’s compensation plans. Over the past two days, however, he’s become a spokesman for people who have had their lives ruined by malicious software.

[Fiola narrates his story:] We had a laptop basically to do our reports instantaneously. If I went to a business and found that they were out of compliance, I would log on and type in a report so it could get back to the home office in Boston immediately. We also used it to research businesses. …

My boss called me into his office at 9 a.m. The director of the Department of Industrial Accidents, my immediate supervisor, and the personnel director were there. They handed me a letter and said, “You are being fired for a violation of the computer usage policy. You have pornography on your computer. You’re fired. Clean out your desk. Let’s go.” …

It was horrible. No paycheck. I lost all my benefits. I lost my insurance. My wife is very, very understanding. She took the bull by the horns and found an attorney. I was just paralyzed, I couldn’t do anything. I can’t describe the feeling to you. I wouldn’t wish this on my worst enemy. It’s just devastating.

If you get in a car accident and you kill somebody, people talk to you afterwards. All our friends abandoned us. The only family that stood by us was my dad, her parents, my stepdaughter and one other good friend of ours. And that was it. Nobody called. We spent many weekends at home just crying. I’m 53 years old and I don’t think I’ve cried as much in my whole life as I did in the past 18 months. …

His employer’s misconfigured laptop gets him charged with a crime Read More »

Bush’s Manicheanism destroyed him

From Glenn Greenwald’s “A tragic legacy: How a good vs. evil mentality destroyed the Bush presidency” (Salon: 20 June 2007):

One of the principal dangers of vesting power in a leader who is convinced of his own righteousness — who believes that, by virtue of his ascension to political power, he has been called to a crusade against Evil — is that the moral imperative driving the mission will justify any and all means used to achieve it. Those who have become convinced that they are waging an epic and all-consuming existential war against Evil cannot, by the very premises of their belief system, accept any limitations — moral, pragmatic, or otherwise — on the methods adopted to triumph in this battle.

Efforts to impose limits on waging war against Evil will themselves be seen as impediments to Good, if not as an attempt to aid and abet Evil. In a Manichean worldview, there is no imperative that can compete with the mission of defeating Evil. The primacy of that mandate is unchallengeable. Hence, there are no valid reasons for declaring off-limits any weapons that can be deployed in service of the war against Evil.

Equally operative in the Manichean worldview is the principle that those who are warriors for a universal Good cannot recognize that the particular means they employ in service of their mission may be immoral or even misguided. The very fact that the instruments they embrace are employed in service of their Manichean mission renders any such objections incoherent. How can an act undertaken in order to strengthen the side of Good, and to weaken the forces of Evil, ever be anything other than Good in itself? Thus, any act undertaken by a warrior of Good in service of the war against Evil is inherently moral for that reason alone.

It is from these premises that the most amoral or even most reprehensible outcomes can be — and often are — produced by political movements and political leaders grounded in universal moral certainties. Intoxicated by his own righteousness and therefore immune from doubt, the Manichean warrior becomes capable of acts of moral monstrousness that would be unthinkable in the absence of such unquestionable moral conviction. One who believes himself to be leading a supreme war against Evil on behalf of Good will be incapable of understanding any claims that he himself is acting immorally.

That is the essence of virtually every argument Bush supporters make regarding terrorism. No matter what objection is raised to the never-ending expansions of executive power, no matter what competing values are touted (due process, the rule of law, the principles our country embodies, how we are perceived around the world), the response will always be that The Terrorists are waging war against us and our overarching priority — one that overrides all others — is to protect ourselves, to triumph over Evil. By definition, then, there can never be any good reason to oppose vesting powers in the government to protect us from The Terrorists because that goal outweighs all others.

But our entire system of government, from its inception, has been based upon a very different calculus — that is, that many things matter besides merely protecting ourselves against threats, and consequently, we are willing to accept risks, even potentially fatal ones, in order to secure those other values. From its founding, America has rejected the worldview of prioritizing physical safety above all else, as such a mentality leads to an impoverished and empty civic life. The premise of America is and always has been that imposing limitations on government power is necessary to secure liberty and avoid tyranny even if it means accepting an increased risk of death as a result. That is the foundational American value.

It is this courageous demand for core liberties even if such liberties provide less than maximum protection from physical risks that has made America bold, brave, and free. Societies driven exclusively or primarily by a fear of avoiding Evil, minimizing risks, and seeking above all else that our government “protects” us are not free. That is a path that inevitably leads to authoritarianism — an increasingly strong and empowered leader in whom the citizens vest ever-increasing faith and power in exchange for promises of safety. That is most assuredly not the historical ethos of the United States.

The Bill of Rights contains numerous limitations on government power, and many of them render us more vulnerable to threats. If there is a serial killer on the loose in a community, the police would be able to find and apprehend him much more easily if they could simply invade and search everyone’s homes at will and without warning. Nonetheless, the Fourth Amendment expressly prohibits the police from undertaking such searches. It requires both probable cause and a judicial warrant before police may do so, even though such limitations on state power will enable dangerous killers to elude capture.

The scare tactic of telling Americans that every desired expansion of government power is justified by the Evil Terrorist Threat — and that there is no need to worry because the president is Good and will use these powers only to protect us — is effective because it has immediate rhetorical appeal. Most people, especially when placed in fear of potentially fatal threats, are receptive to the argument that maximizing protection is the only thing that matters, and that no abstract concept (such as liberty, or freedom, or due process, or adhering to civilized norms) is worth risking one’s life by accepting heightened levels of vulnerability.

But nothing in life is perfectly safe. Perfect safety is an illusion. When pursued by an individual to the exclusion of all else, it creates a tragically worthless, paralyzed way of life. On the political level, safety as the paramount goal produces tyranny, causing people to vest as much power as possible in the government, without limits, in exchange for the promise of maximum protection.

Bush’s Manicheanism destroyed him Read More »

1/2 of all bots are in China

From “Report: China’s botnet problems grows” (SecurityFocus: 21 April 2008):

Computers infected by Trojan horse programs and bot software are the greatest threat to China’s portion of the Internet, with compromises growing more than 20-fold in the past year, the nation’s Computer Emergency Response Team (CN-CERT) stated in its 2007 annual report released last week.

The response organization found that the number of Chinese Internet addresses with one or more infected systems increased by a factor of 22 in 2007. The report, currently only published in Chinese, estimates that, of 6.23 million bot-infected computers on the Internet, about 3.62 million are in China’s address space.

1/2 of all bots are in China Read More »

Modern piracy on the high seas

From Charles Glass’ “The New Piracy: Charles Glass on the High Seas” (London Review of Books: 18 December 2003):

Ninety-five per cent of the world’s cargo travels by sea. Without the merchant marine, the free market would collapse and take Wall Street’s dream of a global economy with it. Yet no one, apart from ship owners, their crews and insurers, appears to notice that pirates are assaulting ships at a rate unprecedented since the glorious days when pirates were ‘privateers’ protected by their national governments. The 18th and 19th-century sponsors of piracy included England, Holland, France, Spain and the United States. In comparison, the famed Barbary corsairs of North Africa were an irritant. Raiding rivals’ merchant vessels went out of fashion after the Napoleonic Wars, and piracy was outlawed in the 1856 Declaration of Paris (never signed by the US). Since the end of the Cold War, it has been making a comeback. Various estimates are given of its cost to international trade. The figure quoted most often is the Asia Foundation’s $16 billion per annum lost in cargo, ships and rising insurance premiums.

The International Maritime Bureau (IMB), which collects statistics on piracy for ship owners, reports that five years ago pirates attacked 106 ships. Last year they attacked 370. This year looks worse still.

In waters where piracy flourished in the past, the tradition embodied in figures such as Captain Kidd has persisted: off the Ganges delta in Bangladesh, in the Java and South China Seas, off the Horn of Africa and in the Caribbean. Three conditions appear necessary: a tradition of piracy; political instability; and rich targets – Spanish galleons for Drake, oil tankers for his descendants. A fourth helps to explain the ease with which it happens: ‘The maritime environment,’ Gunaratna said, ‘is the least policed in the world today.’

The IMB has not been able to persuade the international community or the more powerful maritime states to take serious action. The Bureau’s director, Captain Pottengal Mukundan, believes there is nothing crews can do to protect themselves. National maritime laws are not enforced beyond national boundaries – which is to say, over more than half the earth’s surface. Beyond territorial waters, there are no laws, no police and no jurisdiction. Many countries lack the will or the resources to police even their own waters. The IMB advises all ships against putting in anywhere near states like Somalia, for instance, where there is a near certainty of attack. … Piracy is a high-profit, low-risk activity.

The IMB urges crews to take more precautions, but owners can’t afford every recommended improvement: satellite-tracking devices, closed circuit cameras, electric fencing and security officers on every ship. Owners and trade unions discourage the arming of merchant ships in the belief that firearms will put crews’ lives at greater risk. Only the Russians and the Israelis are known to keep weapons aboard. Competition in the shipping business forces owners to minimise expenditure on crews as on everything else. A commission of inquiry into the 1989 Exxon Valdez spill that nearly destroyed the Alaskan coast reported that ‘tankers in the 1950s carried a crew of 40 to 42 to manage about 6.3 million gallons of oil . . . the Exxon Valdez carried a crew of 19 to transport 53 million gallons of oil.’ [Quoted in Dangerous Waters: Modern Piracy and Terror on the High Seas by John Burnett] With the automation of many shipboard tasks, vessels today carry even fewer seamen than they did when the Exxon Valdez ran aground. That means fewer eyes to monitor the horizon and the decks for intruders.

Air and land transport routes have come under tighter scrutiny since 11 September 2001, but improvements to maritime security are few. An oil tanker can carry a load that is far, far more explosive than any civil aircraft. And most piracy, including the seizure of oil tankers, takes place near countries with powerful Islamist movements – Indonesia, Malaysia, the Philippines, Yemen and Somalia. Lloyd’s List reported on 4 November that Indonesia is ‘the global black spot’ with 87 attacks in the first nine months of this year – ‘the number of attacks in the Malacca Straits leaped from 11 in 2002 to 24 this year.’ Indonesia, which consists of two thousand islands, is the world’s most populous Muslim country. It has experienced decades of repression by a kleptocratic military, communal violence and the degradation of a once vibrant economy. Radical Islamists have made it the focus of their activity and recruitment in Asia.

Modern piracy on the high seas Read More »

Micro-nations

From George Pendle’s “New Foundlands” (Cabinet: Summer 2005):

Call them micro-nations, model countries, ephemeral states, or new country projects, the world is surprisingly full of entities that display all the trappings of established independent states, yet garner none of the respect. The Republic of Counani, Furstentum Castellania, Palmyra, the Hutt River Province, and the Empire of Randania may sound fantastical, but they are a far cry from authorial inventions, like C.S. Lewis’s Narnia or Swift’s Laputa. …

Such idiosyncratic nation-building can trace its roots back to the early nineteenth century, when even the mightiest empire had yet to consolidate its grip on the more far-flung regions of the world. The swampland of the Mosquito Coast was just such an untouched area, and it was here that the Scottish adventurer Gregor MacGregor decided to found his new kingdom – the Territory of Poyais.

The Territory of Poyais displayed many of the themes that would appear in micro-nations for the next century-and-a-half: Firstly, that the love of money is usually a significant incentive in a micro-nation’s foundation. Secondly, that a micro-nation’s founders will always bestow upon themselves thoroughly dramatic titles. Thirdly, that since all the world’s good spots have been taken, micro-nations are usually gifted with dire and hazardous geography. And finally, should any other country enquire into the status of a micro-nation, it is liable to collapse.

For example, take the Republic of Indian Stream, a self-declared republic in North America that existed from 1832 to 1835. An ambiguous border treaty between Britain and the U.S. had created a 500-square mile legal loophole between Canada and the state of New Hampshire. Three hundred enterprising American citizens, all hoping to avoid federal taxes, quickly established a government and constitution and declared Indian Stream a sovereign state. The Republic went unchallenged, but when one of its members was arrested for unpaid debts and taken to serve time in a debtors’ prison in Canada, the Republic of Indian Stream swiftly planned a counterstrike. Crossing the border into Canada, they shot up a local judge’s house, broke their fellow “Streamer” out of prison, and returned triumphantly home. This bravado did not last for long. By the next morning, doubts about the attack were mustering, British retaliation was feared, and before long the Republic voted to be annexed by the New Hampshire militia. Indian Stream was soon incorporated into the state where its libertarian longing would continue to be nurtured for years to come.

One of the major problems in founding a new country, second only to being ignored, is the threat of invasion by a more legitimate nation. As a result, when a group of Ayn Rand disciples tried, in 1969, to set up a new country named Oceana, defense of the realm was paramount. Even though the exact location for Oceana had not been definitely fixed, boot camps were organized for all those who wanted to live there. Most ominously of all, plans were made to steal a nuclear missile, the ultimate deterrent should another country come knocking on their door. Fortunately the group was disorganized and lacking in funds, and when the ringleaders decided to rob a bar to fund their project, the hapless group was promptly arrested and their startling story discovered.

The United States Office of the Geographer stresses that five factors are needed to become a country: space, population, economic activity, government structure, and recognition from other countries. Of these, it is the last factor that has always been the hardest to attain. However, one micro-nation has perhaps come closer to fulfilling these requirements than any other. Founded by a former “pirate” radio operator, Paddy Roy Bates, Sealand is situated on an abandoned World War II anti-aircraft tower, seven miles off the British coast. Consisting of 550 square meters of solid steel, it was declared independent by “Prince” Roy in 1967. (The country’s initial economic activity consisted largely of selling passports and minted coins – both common practices amongst modern micro-nations out to make a quick buck).

Just as Sealand now plays host to the Internet, it is the Internet that has revealed itself as the host for a whole new generation of fictional state projects. As the libertarian fetish for micro-nations weakens, the virtual geography of the Internet grants a modicum of affordable tangibility to new micro-nations, without any of the traditional perils associated with abandoned anti-aircraft platforms or disputed South Pacific atolls.

In comparison, the Royal Kingdom of Elgaland-Vargaland (KREV) has no pull on believability. Although it claims physical territory, it insanely suggests that this consists of all the border frontier areas between all countries on earth. In doing so, the joint kings of KREV (for even these post-modern micro-nations can rarely resist the traditional attraction of a royal title) seem to be taking the artist Gordon Matta-Clark’s “Fake Estates” project – in which Matta-Clark bought small, inaccessible, and unusable lots of land, situated between buildings – to its furthest logical extension. KREV is a country made up of the intersections between real countries, a nation of negative space – a micro-nation that is best to debate rather than to visit.

Micro-nations listed in the article:

  •   the Republic of Counani  
  •   Furstentum Castellania  
  •   Palmyra  
  •   the Hutt River Province  
  •   the Empire of Randania  
  •   the Territory of Poyais  
  •   the Territory of Poyais  
  •   the Republic of Indian Stream  
  •   the Principality of Outer Baldonia  
  •   Oceana  
  •   Sealand  
  •   the Republic of Howland, Baker and Jarvis  
  •   the Royal Kingdom of Elgaland-Vargaland (KREV)  

Micro-nations Read More »