The Dylan M. versus Google incident, ten years later

So it was ten years ago this month I wrote two posts about one Dylan M. and the sudden disabling of his Google account over some photos (under the titles “When ‘the cloud’ delivers a thunderstorm” and “Warm bodies are still smarter than silicon (When ‘the cloud’ delivers a thunderstorm, part 2)“). The first post concluded with the advice to back up data on USB flash drives and use optical discs for long term archival, while the second post discussed more of the aftermath and how it’s a bit heavy handed for Google to disable an entire account over just one image which arguably isn’t even their business unless it’s being shared with the public.

Everything in both of those posts is still true today, more or less. There’s been an unfortunate move away from optical discs, and it’s a bit harder to find recordable CD and DVD media these days. As for me, I was lucky. Some time ago I was able to buy both the drive and discs I’m using at Target. (I find it easier to use an external DVD-R drive due to the arrangement of my laptop on my desk.)

I’m not sure if Target is still selling the drives or the media. I do remember the last Walgreens I checked was not selling any optical disc media at all. They also weren’t selling USB flash drives either, so it may just have been that one store. I don’t particularly like buying from Amazon when I can avoid it, but they appear to be selling both the drives and media. Best Buy was selling at least the drives online as well.

Unfortunately this move to obsolete optical disc media goes back to Apple and their sudden refusal to put optical disc drives in their computers. On a laptop I can kind of get it, as space is precious and there is the option of an external drive (like the one I’m using). On a desktop, though? Space is not the issue, though I can see forgoing an optical media drive for cost reasons (especially if the money saved is instead going toward a larger SSD, more RAM, or more CPU).

I also mention my luck with failing USB drives. I have since had a few more USB drives fail on me, and at least two or three SD cards give up the ghost. For short-term copies, they might be good enough, especially given how hard it can be to archive larger files on optical discs. (Though, as I write this, external Blu-Ray recorders have come down to around $100-$150. Of course, the media can still be expensive. My spot price check shows a 10-disc spindle of 100GB BD-XL at $52, or $5.20 per disc, from one supplier.)

The key lessons remain the same. If it’s important, make backup copies. Make and use multiple accounts for cloud-based services if your situation warrants (and the terms of service allow). If you go this route, you should have one for the mainstay of your personal then activities, one or more others for riskier activities. Keep them separate, ideally using separate computers or devices and never mixing them up.

You should not assume anything is private when companies like Google, Microsoft, Apple, Amazon, Adobe, etc are running the service. Companies often analyze and use your data to figure out what kinds of ads to serve you elsewhere (particularly in the case of Google and Microsoft).

Finally, if you can’t touch it (or the device it is stored on), you don’t really own it. Sometimes this is close to unavoidable (email and web hosting in particular, at least for the majority of people). Still, back up your email and, if you have one, your website. (Don’t forget to also make a copy of the database if your site has one.)

It’s really unfortunate that things really haven’t changed on this front. If anything, I think the situation has gotten worse.

They used to teach an actual computer literacy course as part of the middle school curriculum. (The school I went to for sixth grade would have had me take a full semester of typing–on typewriters!–as a prerequisite to the actual semester of computer literacy. Thankfully, the school I was transferring to did not.) Now, the technology literacy (as it is called now) is woven into other courses. As an acknowledgement of the increasing role technology is playing in our lives, this makes sense.

I do remember learning about backups and things like ethics as part of computer literacy. I’m not sure if today’s students still learn about these things. (Of course, I would hope they still are.)

The chilling effect of a DoS attack: why the KrebsOnSecurity incident should alarm all of us

Ars Technica recently reported on a troubling situation involving well-known security blogger Brian Krebs and his blog KrebsOnSecurity. Brian’s blog is now back online, thankfully, and he wasted no time firing off this post entitled The Democratization of Censorship which I will quote in part:

More than 20 years after [John] Gilmore first coined [the] turn of phrase [“The Net interprets censorship as damage and routes around it”], his most notable quotable has effectively been inverted — “Censorship can in fact route around the Internet.” The Internet can’t route around censorship when the censorship is all-pervasive and armed with, for all practical purposes, near-infinite reach and capacity. I call this rather unwelcome and hostile development the “The Democratization of Censorship.”

Allow me to explain how I arrived at this unsettling conclusion. As many of you know, my site was taken offline for the better part of this week. The outage came in the wake of a historically large distributed denial-of-service (DDoS) attack which hurled so much junk traffic at Krebsonsecurity.com that my DDoS protection provider Akamai chose to unmoor my site from its protective harbor.

The blog post goes on to describe the details, namely that a denial of service (DoS) attack was aimed at Brian’s blog that was so massive that Akamai could no longer afford to protect him from it. Rather than allow his own hosting provider to get swamped with the traffic, Brian instead chose to take his blog offline by pointing it at the loopback address; given that the vast majority of users are not running a web server on their own PCs, and certainly not on their phones or tables if they are using such a device, this had the effect of taking the blog down. Brian finally put it back up under the protection of Google’s Project Shield.

As to what figurative fireant mound Brian managed to step in, I’m not even sure it really matters that much. The problem is that this happened. If it happens to someone like Brian Krebs, it can just as easily happen to any of us. The tragedy here is not that Akamai and Google are willing to protect sites like Brian’s from crippling denial of service attacks. No, the tragedy is that it’s even necessary that such protection even has a need to exist.

In this case, Google happens to be the good guys. However, it is worth mentioning I have been highly critical of Google in the past; always for a good reason of course, but it’s inevitable that a corporation like Google (or Akamai, for that matter) will get one wrong once in a while.

That’s not to say that Akamai are the bad guys here; they protected Brian’s site for as long as they could, until it became completely unfeasible to do so. To give you an idea of the scale of the chessboard Brian is playing on, here is another chilling quote from his blog post:

In an interview with The Boston Globe, Akamai executives said the attack — if sustained — likely would have cost the company millions of dollars. In the hours and days following my site going offline, I spoke with multiple DDoS mitigation firms. One offered to host KrebsOnSecurity for two weeks at no charge, but after that they said the same kind of protection I had under Akamai would cost between $150,000 and $200,000 per year.

[…]

That annual figure breaks down to $400 or so per day. For most of us that’s a crippling sum; I would think even Bill Gates, Warren Buffett, Jeff Bezos, or most other multi-billionares would probably throw in the towel if keeping a blog or website up cost that much (and was operated purely for free speech and not profit purposes; obviously that’s a drop in the bucket for Microsoft, Amazon, or most of the companies owned by Berkshire Hathaway, for their public-facing and profit-generating websites).

It almost goes without saying, but if it cost that $400 per day to keep this site online, it would be gone. I’m not even sure I could take the two free weeks in good conscience, because I’d be quitting immediately thereafter. I would likely even be afraid to try to distribute the archives via BitTorrent for fear anywhere I tried to seed it from would be hit with the same type of attack. I certainly couldn’t use BitTorrent for posting new updates; maybe I could use something like Freenet or ZeroNet. That would likely mean giving up WordPress, which I really do not want to do.

There has to be something that can be done about this cybervandalism at the Internet service provider (ISP) level. I don’t get why the heck any decent ISP still allows the kind of garbage in a DoS attack outside of its own network. It’s one thing for someone to take control of a botnet on, say, Comcast’s or AT&T’s network, and take someone offline that’s on that network. It’s another entirely to take control of botnets across the planet and blast someone right off of Akamai’s network. I don’t even know if cybervandalism is still the right word at that scale; it’s more like cyberwarfare at that point.

Google and payday loan sharks: the past versus the future

For once, Google does something truly worthy of commendation.

This recent story in The Atlantic states that effective in about two months, Google will no longer allow advertisements for companies which make loans due in less than 60 days, or in the US, with interest rates above 36% APR. (I have reviewed the terms for many such loans, and I have yet to see a payday loan or title loan company offer a loan anywhere near as low as 36% APR; usually it’s at least 200% APR, sometimes over 400% APR.)

I am not sure of the reason in the two-month delay in prohibiting the ads, but this is a rare occasion where I believe Google is doing the right thing. Even better, it appears the motivation behind this is completely moral and ethical, as opposed to just avoiding bad PR or lawsuits from end users. From a statement written by David Graff, director of global product policy at Google:

In that vein, today we’re sharing an update that will go into effect on July 13, 2016: we’re banning ads for payday loans and some related products from our ads systems. We will no longer allow ads for loans where repayment is due within 60 days of the date of issue. In the U.S., we are also banning ads for loans with an APR of 36% or higher. When reviewing our policies, research has shown that these loans can result in unaffordable payment and high default rates for users so we will be updating our policies globally to reflect that.

This change is designed to protect our users from deceptive or harmful financial products and will not affect companies offering loans such as Mortgages, Car Loans, Student Loans, Commercial loans, Revolving Lines of Credit (e.g. Credit Cards).

[…]

[O]ur hope is that fewer people will be exposed to misleading or harmful products.

Now, I will concede that it was perhaps not the brightest move for what was at the time called Google Ventures, now called GV (the venture-capital arm of what used to be Google, Inc., now Alphabet, Inc.), to provide some of the seed funding for LendUp back in 2013. (One of LendUp’s products is short-term, high-APR loans of the sort which won’t be able to be advertised on Google when the new rules take effect. LendUp’s other products are not nearly as predatory, and I have even applied for their credit card not too long ago. Still, a lot of people criticize LendUp for their high-APR short-term loans and I don’t blame them.)

GV would probably like to have that one back now, and I don’t blame them. There is a Chinese proverb which states “The best time to plant a tree was 20 years ago; the second best time is now.” I think a form of that certainly applies here. GV can’t fix the past, but Google can certainly make a move towards a better future. Even the best companies make mistakes: Ford’s Edsel marque, New Coke, the 1960-1963 Chevrolet Corvair just to name a few. While GV and Google are completely independent of each other now, it is my hope this move signals a true change in direction going forward for all companies under the Alphabet umbrella.

Censorship and the Hollywood Sign

I read with interest some months ago a Gizmodo article entitled “Why People Keep Trying to Erase the Hollywood Sign From Google Maps”. My interest came first as a freedom and digital rights advocate, and second as a frequent contributor to OpenStreetMap. The latter of these is particularly important as you will see shortly. (Yes, the article is a bit old, but the larger issues are just as important today, and will become no less important as time goes on.)

The Gizmodo article was written by Alissa Walker, who is perhaps best known for her blog awalkerinla.com and specifically this post from 2011 June entitled “The best way to see the Hollywood sign”. In the Gizmodo article, something very disturbing is noted: with the advent of GPS technology, area residents are resorting to putting pressure on the likes of Google, Apple, and Microsoft (Bing Maps) to divert those asking for directions to the Hollywood Sign to either Griffith Observatory or Hollywood & Highland Center.

Such is the problem with relying on corporations for one’s mapping data: corporations are controlled, in the end, by stockholders, who decide it’s in the corporation’s best interest to do such things to avoid a lawsuit. The article goes on to share Alissa’s own experience getting legal threats from a homeowner in the area of Lake Hollywood Park. The threat as quoted from the article:

Please immediately cease and desist from using 3204 Canyon Lake Drive and 6161 Mulholland [Hwy] or any other residence as the address for the Hollywood Sign and change the address to one of the two official viewing spots sanctioned by the Hollywood Sign Trust as shown in their map. The locations are: Griffith Park Observatory and the Hollywood and Highland Center…

Please be advised that up to this point your actions may have simply been due to an oversight of the local situation. However, should the address not be changed going forward, you may named in a lawsuit and be held liable for damages in an accident or due to your knowing and/or negligent continuing direction of visitors to the viewing spot at 3204 Canyon Lake Drive and 6161 Mulholland Hwy.

As mentioned later in the article, Alissa got some photos emailed to her as well from the same homeowner showing illegal parking attributed to her directions. The way I see it, the tourists driving in the area are the ones responsible for parking lawfully according to the laws of the state of California and the city laws of the appropriate city (whether Hollywood or otherwise). To pin vicarious liability on Alissa for the actions of others is absurd. Information, such as that Alissa gives out, carries with it the responsibility to use it wisely and obey the applicable laws. It is the same as if someone posted the location of a good fishing spot; the use of the information regarding the location of the spot would not be an excuse to violate daily catch limits or other boating regulations (unless the person posting the location were to do something stupid like include “warden never patrols this area” or “don’t worry about the limit”).

Alissa wrote another article for Gizmodo entitled “There Is No Such Thing As An Unbiased Map” a short time later. This one focuses more directly on OpenStreetMap, but also contains a couple of other gems. Such as this one:

“If I recall correctly, back in the days of MSN maps, searching for Infinite Loop in Cupertino [where Apple is headquartered] showed a blank spot on the MSN map, as if there wasn’t anything there,” said [former Code for America fellow Lyzi] Diamond. “There is no such thing as an accurate map. It’s all up to cartographers.”

Indeed, it’s a pretty low blow to blank out the campus of a competitor company on one’s own mapping service (though I would think trusting Microsoft to get you to an interview at Apple or Google is not exactly the brightest move either). But this is where OpenStreetMap (hereinafter OSM) really comes into play, as like Wikipedia, it maintains an audit trail of what was added, modified, or deleted, and by whom (at least a screen name, though I would assume the IP addresses are recorded as well somewhere). And yes, you can get accurate directions to the Hollywood sign using OSM data. The community behind OSM considers shenanigans like redirecting visitors to Griffith Park Observatory or Hollywood & Highland Center as vandalism, and rightfully so.

Would our angry homeowner really sue the OpenStreetMap Foundation, or any other non-profits that financially sustain OSM? It’s certainly possible, but I would like to think most people consider suing a non-profit to be off-limits. The mere existence of OSM, however, serves as a rather powerful check on the near-monopolies enjoyed by the likes of Google, Microsoft (Bing Maps), AOL (Mapquest), Apple, and others who, until OSM became a viable alternative, enjoyed an effective oligarchy on map data. Not only do I personally edit OSM, but I wish I could use OSM every time I needed to map something. As it is I still wind up using some other service (usually Google Maps) maybe 20% of the time as of this post.

Houston’s nominal equivalent of the Hollywood sign, the We Love Houston sign on the south side of I-10 near downtown, was among my additions to OpenStreetMap. And so far, there have not been similar issues regarding the We Love Houston sign; then again, it’s still relatively new, and while I admire and respect the work of David Adickes, I wouldn’t realistically expect it to be the same type of tourist draw in its infancy.

[Edit 2022-12-01: awalkerinla.com is now offline, link has been changed to point to an archived version of the linked post.]

The Flappy Bird saga, or: why some people shouldn’t make games

I was originally going to let all the flap about Flappy Bird sail right over my head and into wherever this stuff goes in cyberspace when it’s done being popular. I am, after all, someone who is very un-picky about exactly which games I play, leaning towards GPL software instead of the latest shrink-wrapped XBox One, PS4, or Wii titles. I thought this didn’t really concern me, but then I read Dwight Silverman’s post to TechBlog about Flappy Bird.

For some reason when I was about to read this, I had thoughts of recent articles about “rape culture” in my head. I had just finished watching a video about a human trafficking problem in Europe.

And then it all made sense.

I’m saying this as someone who never played Flappy Bird (and probably will never get a chance to thanks to Mr. Nguyen’s selfish actions).

This is why I’m leery about depending on mobile phone apps:

[Flappy Bird creator Dong] Nguyen said the main reasons for pulling the game were guilt due to its addictive quality, and the fact that the attention has made his life more complicated[…]

Games are supposed to make people happy. To Mr. Nguyen, making Flappy Bird wasn’t about making people happy. No, Flappy Bird, in the end, wasn’t really the game itself, but a piece on Mr. Nguyen’s game board. A piece due to the design of today’s mobile devices, he could choose to take off the board at his own whim. It’s about control, about the opportunity to impose his own morals on those who partook of the game for whatever reason.

Indeed, I think Mr. Nguyen is exactly the kind of person Richard Stallman is warning us about when he refers to the emotional argument in his essay “Why Software Should Be Free”:

The emotional argument goes like this: “I put my sweat, my heart, my soul into this program. It comes from me, it’s mine!”

This argument does not require serious refutation. The feeling of attachment is one that programmers can cultivate when it suits them; it is not inevitable. Consider, for example, how willingly the same programmers usually sign over all rights to a large corporation for a salary; the emotional attachment mysteriously vanishes. By contrast, consider the great artists and artisans of medieval times, who didn’t even sign their names to their work. To them, the name of the artist was not important. What mattered was that the work was done—and the purpose it would serve. This view prevailed for hundreds of years.

(Richard goes on in his essay to mention the economic argument, which I don’t think applies here, as Mr. Nguyen deleted Flappy Bird in spite of it making him a relatively obscene amount of money.)

What if Mr. Nguyen were an arcade game programmer in the late 1970s or early 1980s? It would be as if, say, Taito could have decided those who haven’t yet played one game of Space Invaders at a given point in time could never do so for their entire lives in light of a shortage of 100 yen coins in Japan. (Set aside for the moment the shortage didn’t actually happen, because it easily could have if Space Invaders was as popular in 1978 and 1979 as Flappy Bird, or even something like Angry Birds, is today.) Or if Atari decided something similar for Pong or Asteroids during those crazes. You get the idea.

And the probable result? There would be an outrage. The video game scene succeeded and became what it was, and rebounded as quickly as it did from the 1983 crash, because the companies knew their role. Once an arcade game was sold, it was sold and there was little the companies could really do regarding how many people got to play them.

So, based on what I have read, and as an electronic game player and historian with over 30 years of experience, it is my expert opinion that Mr. Nguyen has no business making games and for him to do so is a detriment to the entire gaming community. It isn’t proper in the least for any game designer to impose their own morals or value judgments over the players of their games. Nobody else has tried to get away with this, and for good reason. Mr. Nguyen clearly doesn’t give a shit about the gaming community. It is most unfortunate indeed that Apple and Google (and, I would assume should he make Windows Phone games, Microsoft as well) will keep letting him sell games in their respective online stores in spite of this, but again, they don’t have to give a shit either, they get their cut of the revenue.

The personality of Mr. Nguyen and the personality of the average rapist are one and the same. Rape isn’t about sex, it’s about control. Control over a rape victim, control over a Flappy Birds player… one and the same. If you really love a game you’ve made, set it free (GPL).