193 stories

Take action to save .org and prosecute those who sold out the internet


As many of you have no doubt heard, control of the .org registry has been sold to private interests. There have been attempts to call them to reason, like Save .ORG, but let’s be realistic: they knew what they’re doing is wrong, the whole time. If they were a commercial entity, our appeals would fall on deaf ears and that would be the end of it. But, they’re not a commercial entity - so our appeals may fall on deaf ears, but that doesn’t have to be the end of it.

The level of corruption on display by the three organizations involved in this scam: ICANN (Internet Corporation for Assigned Names and Numbers), ISOC (The Internet Society), and PIR (Public Interest Registry), is astounding and very illegal. If you are not familiar with the matter, click this to read a summary:

Summary of the corrupt privatization of .org

The governance of names on the internet is kind of complicated. ISOC oversees a lot of activities in internet standards and governance, but their role in this mess is as the parent company of PIR. PIR is responsible for the .org registry, which oversees the governance of .org directly and collects fees for every sale of a .org domain. ICANN is the broader authority which oversees all domain allocation on the internet, and also collects a fee for every domain sold. There's a complex web of documents and procedures which govern these three organizations, and the name system as a whole, and all three of them were involved in this process. Each of these organizations is a non-profit, except for PIR, which in the course of this deal is trying to convert to a B corp.

ICANN can set price limits on the sale of .org domains. In March of 2019, they proposed removing these price caps entirely. During the period for public comment, they received 3,300 comments against, and 6 in favor. On May 13, they removed these price caps anyway.

In November 2019, ISOC announced that they had approved the sale of PIR, the organization responsible for .org, to Ethos Capital, for an unspecified amount. According to the minutes, the decision to approve this sale was unanimously voted on by the board. Additionally, it seems that Goldman Sachs had been involved in the sale to some degree.

Fadi Chehadé became the CEO of ICANN in 2012. In 2016, he leaves his position before it expires to start a consulting company, and he later joins Abry Partners. One of the 3 partners is Erik Brooks. They later acquire Donuts, a private company managing domains. Donuts co-founder Jon Nevett becomes the CEO of PIR in December 2018. On May 7th, Chehadé registers EthosCapital.com, and on May 13th ICANN decided to remove the price caps despite 0.2% support from the public. On May 14th, the following day, Ethos Capital was incorporated, with Brooks as the CEO. In November 2019, ISOC approved the acquisition of PIR by Ethos Capital, a for-profit company.

These are the names of the criminals who sold the internet. If you want to read more, Private Internet Access has a good write-up.

Okay, now let's talk about what you can do about it.

If you are familiar with the .org heist, then like me, you’re probably pissed off. Here’s how you can take action: all of these organizations are 501c3 non-profits. The sale of a non-profit to a for-profit entity like this is illegal without very specific conditions being met. Additionally, this kind of behavior is not the sort the IRS likes to see in a tax-exempt organization. Therefore, we can take the following steps to put a stop to this:

  1. Write to the CA and VA attorney general offices encouraging them to investigate the misbehavior of these three non-profits, which are incorporated in their respective states.
  2. File form 13909 with the IRS, encouraging them to review the organization’s non-profit status.

This kind of behavior is illegal. The sale of a non-profit requires a letter from the Attorneys General in both California (ICANN) and Virginia (ISOC, PIR). Additionally, much of this behavior qualifies as “self-dealing”, or leveraging one’s power within an organization for their own benefit, rather than the benefit of the organization. To report this, I’ve prepared a letter to the CA and VA Attorney’s General offices, which you can read here:

I encourage you to consider writing a letter of your own, but I would not recommend copying and pasting this letter. However, this kind of behavior is also illegal in the eyes of the IRS, and a form is provided for this purpose. Form 13909 is the appropriate means for reporting this behavior. You can download a pre-filled form here, and I do encourage you to submit one this yourself:

This only includes complaints for ICANN and ISOC, as PIR is seeking to lose its non-profit status anyway. You can print out the PDF, fill in your details on both pages, and mail it to the address printed on the form; or you can download the ODG, open it up with LibreOffice Draw, and fill in the remaining details digitally, then email it to the address shown on the page.1

Happy Thanksgiving! Funny how this all happened right when the American public would be distracted…

  1. Crash course in LibreOffice Draw: press F2, then click and drag to make a new textbox. Select text and use Ctrl+[ to reduce the font size to something reasonable. The red button on the toolbar along the top will export the result as a PDF. 

Read the whole story
50 days ago
Share this story

The problems with piping curl to a shell are system management ones

1 Share

I was recently reading Martin Tournoij's Curl to shell isn't so bad (via), which argues that the commonly suggested approach of using 'curl example.com/install.sh | sh' is not the security hazard that it's often made out to be. Although it may surprise people to hear this, I actually agree with the article's core argument. If you're going to download and use source code (with its autoconfigure script and 'make install' and so on) or even pre-build binaries, you're already extending quite a lot of trust to the software's authors. However, I still don't think you should install things with curl to shell. There are two reasons not to, one a general system management one and one a pragmatic one about what people do in these scripts.

The general system management one is that to manage and maintain your system over time, you need to control what changes are made to it and insure that everything is handled consistently. You don't want someone's install script making arbitrary and unknown changes to your system, and it gets worse when that install script can change over time. The ideal thing to install is an artifact that you can save locally and that makes limited and inspectable changes to your system (if any). Good install options are, for example, a self-contained tarball that you can extract into a directory hierarchy of your choice (and that doesn't even have to be owned by or extracted by root), or a package for the standard package manager on your system that doesn't contain peculiar custom scripts with undesired side effects. An un-versioned shell script fetched from a remote end that you don't save or inspect and that will make who knows what changes on your system is a terrible idea for being able to manage, maintain, and understand the resulting system state.

The pragmatic reason is that for some reason, the people writing these install shell scripts feel free to have them make all sorts of nominally convenient changes to your system on behalf of their software. These shell scripts could be carefully contained, minimal, and unchanging (for a particular release), doing very little more than what would happen if you installed a good package through your package manager, but very often they aren't and you'll wind up with all sorts of random changes all over your system. This is bad for the obvious reason, and it's also bad because there's no guarantee that your system is set up in the way that the install script expects it to be. Of course generally 'make install' has the same problem, which is why experienced sysadmins also mostly avoid running that as root.

(More generally, you really want to manage the system through only one thing, often the system's package manager. This is the problem with CPAN and other independent package systems (althogh there are good reasons why people keep creating them). Piping curl to a shell and 'make install' are just magnified versions of it. See also why package systems are important.)

Read the whole story
69 days ago
Share this story

Target of Police Raid Had Been in Jail for Five Years, Plaintiff Alleges

1 Share

In a new lawsuit, a Chicago woman alleges that police conducted an unnecessary no-knock raid on her home in January 2015, throwing flash-bang grenades and then charging in with assault rifles. Police did have a warrant, but it’s not entirely clear how they got one. This is because the department knew, or should have known, that the guy they were after was not inside the home. Or any home. And that is because he was inside a prison, where he had been for more than five years.

The raid did corner three individuals, aged 11, 6, and 4 respectively, and their mom. But it appears none of them were charged, probably due to the fact that three of them are 11, 6, and 4 respectively, and also that none of them have anything at all to do with the target.

According to the complaint, the officers were looking for a man named Derec Bell and/or evidence of illegal drug activity engaged in by the said Derec Bell. And Derec Bell had, in fact, once resided at that address, but not more recently than June 2009, the date at which he began residing at the Hill Correctional Center in Galesburg, Illinois. Bell has resided there ever since, and will almost certainly continue to do so until 2029, when his sentence is up. Because he had been imprisoned 200 miles away for the previous five-and-a-half years, therefore, it is not clear how officers established probable cause to believe that evidence pertaining to him might still be found in his prior abode in January 2015. (The plaintiff had moved in three years after Bell moved out.)

“[D]espite the independent vetting of material [information] … and the methodical process to authenticate addresses, errors can occur and information may not be accurate,” a police spokesperson said, thus blaming the information for its own inaccuracy. Police make “every effort” to verify warrants, he continued. Every effort except for checking to see if the target’s already in jail, apparently, because this one was.

The plaintiff is represented by Al Holfeld, Jr., who has brought several excessive-force lawsuits against Chicago and its police recently. The city settled one such case last year for $2.5 million, the report said.

Some believe that the Chicago police department has unconstitutionally engaged in a pattern of excessive force, and those people include the Justice Department, which reached that conclusion in 2017 after a 13-month investigation. According to one report, between 2004 and 2015 the city spent almost $60 million a year on settling cases alleging police misconduct. And I haven’t read all of this article entitled “Two Decades of Torture by Chicago Police,” but the headline sure doesn’t sound good.

Nobody was physically injured in the Looking for Derec Bell Who Was in Prison incident, but the plaintiff does allege that the grenades terrified her and her children, and that the children also did not enjoy having assault rifles pointed at them by screaming officers. Also, she claims the city has not paid for the damage to the home, nor have officers returned some jewelry and other property they confiscated during the visit.

For more on this topic (generally speaking), you may want to consider taking “A Fun Quiz on Military-Style Police Tactics” (Oct. 14, 2014); read about the incident in Idaho where “Cops Trash Home in 10-Hour Standoff With Dog” (Aug. 29, 2016); or try this one where New Jersey police were held at bay for 90 minutes by a cardboard cutout (Dec. 8, 2008).

Read the whole story
71 days ago
Share this story

FBI misused surveillance data, spied on its own, FISA ruling finds

1 Comment
FBI agents ran queries across thousands of US individuals, including potential sources and anyone with access to FBI facilities, against raw metadata from FISA-authorized bulk collection databases.

Enlarge / FBI agents ran queries across thousands of US individuals, including potential sources and anyone with access to FBI facilities, against raw metadata from FISA-authorized bulk collection databases. (credit: Bloomberg via Getty Images)

In an October 2018 ruling unsealed and posted on October 8, 2019 by the Office of the Director of Intelligence, the United States Foreign Intelligence Surveillance Court (FISC) found that the employees of the Federal Bureau of Investigation had inappropriately used data collected under Section 702 of the Foreign Intelligence Surveillance Act (FISA). The FBI was found to have misused surveillance data to look into American residents, including other FBI employees and their family members, making large-scale queries that did not distinguish between US persons and foreign intelligence targets.

The revelation drew immediate outcry from privacy advocates and renewed calls for the termination of FISA and USA FREEDOM Act that authorized bulk intelligence collection. President Donald Trump signed a bill extending Section 702 collection authorizations for six years in 2018; the Office of the Director of National Intelligence announced earlier this year that the administration would seek the extension of authority for collection of call data granted under the USA FREEDOM Act.

In a statement emailed to Ars Technica, ACLU Senior Legislative Counsel Neema Singh Guliani, said:

The government should not be able to spy on our calls and emails without a warrant. Any surveillance legislation considered by Congress this year must include reforms that address the disturbing abuses detailed in these opinions. Congress and the courts now have even more reason to prohibit warrantless searches of our information, and to permanently close the door on any collection of information that is not to or from a surveillance target.

Let me Intel-Google that

The Foreign Intelligence Surveillance Court ruling found that the FBI's "querying procedures" for intelligence data did not properly record when the database of intelligence data was searched for information about US persons. "The querying procedures did not require FBI personnel to document the basis for finding that each United States-person query term satisfied the relevant standard—i.e., that queries be reasonably designed to return foreign-inteligence information or evidence of crime," the FISC opinion stated. "Without such documentation and in view of reported instances of non-compliance with that standard, the procedures seemed unreasonable under FISA's definition of 'minimization procedures' and possibly the Fourth Amendment."

Among those instances of "non-compliance" were:

  • Between March 24 and 27, 2017, the FBI ran queries against intelligence data "using identifiers for over 70,000 communications facilities 'associated with' persons with access to FBI facilities and systems," the court noted, "notwithstanding advice from the FBI Office of General Counsel (OGC) that they should not be conducted without the approval of the OGC and the National Security Division of the Department of Justice."
  • On December 1, 2017, a redacted FBI division "conducted over 6,800 queries using the Social Security Numbers of individuals" against raw, unredacted FISA data. A week later, the same unit conducted 1,600 queries using another set of identifiers for US persons. The person who conducted the queries "advised he did not intend to run them against raw FISA information, but nonetheless reviewed raw FISA information returned by them."
  • In February of 2018, the FBI searched raw FISA data for information, with about 30 queries regarding "potential [redacted] sources," and conducted about 45 other queries on people "under consideration as potential sources of information."
  • In an undated event, reported to the Department of Justice's National Security Division in April of 2018, the FBI ran queries against raw FISA metadata using identifiers for "approximately 57,000 individuals" where it was not clear that the information would return foreign intelligence information.
  • Queries against individual US persons were run against the FISA data on a number of occasions, including people about to be served a FISA order—and "a small number of cases in which FBI personnel apparently conducted queries for improper personal reasons—for example, a contract linguist who ran queries on himself, other FBI employees, and relatives."

The court found a huge lack of oversight over the FBI's querying of FISA metadata and ordered the FBI to revise its search procedures. The FISC ruling said that the FISA statutory and Fourth Amendment concerns regarding warrantless searches would be cleared if all queries required written documentation of the basis for a belief by the FBI that searching against a US person's metadata would be "reasonably likely to return foreign-intelligence information or evidence of crime" before anyone at the FBI was allowed access to the contents of FISA data that would be returned by such a search.

Read Comments

Read the whole story
101 days ago
"But definitely trust us with a backdoor into all encryption, tho. We totally promise we won't abuse that one."
Share this story

Signs of the Sojourner (Alpha, Crowdfunding)

1 Share
Play through conversations by deciding how to follow your partner’s lead.

Signs of the Sojourner is a conversational deck-building game by the small indie studio Echodog, currently crowdfunding on Indiegogo and featuring writing by the excellent Kevin Snow. A polished, substantial demo is available on itch.io.

In short: I saw Kevin Snow’s pitch about this game and thought, neat, any game with Kevin’s writing is worth a look. Then I paid a couple dollars to download the demo from itch — you can of course get it for free, but it seemed polite. Then I played the demo through from start to finish, twice, getting significantly different experiences in the two playthroughs.

When I got to the end of the second play, I was having so much fun that I really felt quite sulky about the fact that this was just a demo and that I can’t play the full game until later.

Since I really want the full game to exist in maximum glory, I backed it and then came over here to tell you about why it’s cool. And as I wrote up this post, I needed a few more screenshots and wound up replaying almost all of the alpha for a third time because I was still having fun and discovering some new things about how the mechanics worked.

When I heard this described as a conversational deck-building game, I was intrigued but not sure what to expect. The two areas of closest adjacent work I can think of are the narrative deck-building projects built in StoryNexus and the conversational mechanics explored by Tea-Powered Games, especially in their forthcoming Elemental Flow. But this works a bit differently from either of those.

The essential concept is a sort of game of dominos. Your partner plays a card that has one or more output symbols; you need to follow that with a card with a matching input symbol.

My childhood friend Elias offers some easy practice at conversation while my deck isn’t yet very diverse.

Each conversation needs a certain number of positive interactions, represented by the white squares in the upper right area of the conversation status bar, in order to succeed.

Here, I’ve had several good interactions with Alexis, and I just need one more to end the scene happily.

If a conversation goes poorly and one partner isn’t able to match the other’s move, your partner will say something defensive, aggressive, or apologetic. The black squares represent the number of these missteps that the conversation can endure, a sort of shared pool of hit points for the dialogue.

Sadly, I didn’t have a card with a purple square on it, so I wasn’t able to play a match for Airat’s comments here.

Conversations that accumulate too many failures end without you gaining everything you might have gained from that character — trade goods, information, or a temporary travel companion.

This conversation got off to a good start, but then we ran into a series of impasses, because the chandler kept wanting to play blue diamonds and I didn’t have enough blue diamond cards in my deck to be able to work with her.

At the end of every conversation, whether it went well or badly, you have a mandatory gain/trash mechanic: you must choose one of your existing deck to get rid of — and you can’t use this opportunity to trash junk cards, about which more in a minute — but you also must pick up a new card that you saw your conversation partner use.

Since your initial deck includes five each of two types of card, at first you’re just using this opportunity to diversify your range of options. But you’re also upgrading: some cards feature some kind of wild-card matching or confer an extra effect when played. These mechanics are mostly narratively meaningful: “observe” lets you see your partner’s hand, making it easier to lead cards that they’ll be able to successfully follow; “clarify” lets you play a card into the middle of the sequence rather than at the end, buying time if you can’t play on the final card. I’m especially excited to try the “elaborate” card I found near the end of the game.

The one piece of this that didn’t come through for me quite as strongly in play is the meaning of the symbols themselves, which Echodog describe thus:

At the end of a conversation sequence, the outcome of the conversation depends on which symbol has been played most during the interaction, but it wasn’t generally clear to me, even on two playthroughs, what difference that made; and typically I was just trying to diversify my hand to match as well as possible, rather than, say, trying to maximize my holdings in empathy.

Even if you aren’t picking up the assigned meanings for the symbols, though, character differences do come through in the mechanics very clearly because your various conversation partners are holding very different decks. You start the game with a lot of circle-circle and circle-triangle cards; your childhood friend Elias has a lot of circle-circle and triangle-circle cards. That means it’s extremely easy to get into patterns with him, either continuous streams of circles or oscillation between circles and triangles.

And, initially, you’re not so well equipped to deal with other characters. But as you adjust your deck to be more generally useful, you may actually find that your changing style of behavior makes your discussions with Elias just a bit less smooth than before, an abstract representation of how we grow apart from people. And he has less growth to offer you, too: when you talk to him, you can only ever “learn” pretty basic cards from him, so after a while, he might be making your deck just a little worse.

He never really becomes hard to talk to — there’s usually a way through, and he’s more forgiving of mistakes than most other characters — and there are usually other rewards for talking to him that make it worth the minor hit to your deck quality. But even the slight change of that relationship is an intriguing thing to see arising naturally from the mechanic.

Meanwhile, other character personalities come through different arrangements of the mechanic. Some characters are really one-note, sticking strongly to a particular symbol and not being interested in others. Some are touchy, tolerating fewer bad interactions before they leave. Some are more easily pleased, considering three turns of chat to be a “success” rather than requiring five.

I haven’t yet learned the route to Old Marae, but it appears on my map because a character mentioned it to me in conversation.

All these encounters are set on a map that gradually opens out, allowing you to visit different trading environments. As in 80 Days, conversation reveals new locations to visit, and new locations contain new people to talk to.

Conversation mechanics tie back to the map via more than just the unlocks, though. For one thing, people in distant towns talk in a different way — at any rate, they have cards with different symbols you may not have seen before — capturing the feeling that you might be out of your depth or just not know what to say about local concerns if you’re far outside your own context.

Tiredness and comfort are also beautifully carried over into the deck mechanics. The longer you travel, especially if you take long journeys in certain parts of the map, the more you accrue junk “fatigue” cards in your deck. They match nothing, cluttering up your hand and making it less likely that you’ll have a way to make the conversation progress successfully. The only way to get rid of them is to return home for a rest.

That second card in my hand is a fatigue card. It matches nothing and crowds out other cards that might be a better fit. Unfortunately, in this case, I have nothing that will let me respond to Ophelia’s blue diamond lead, so I’m about to have a negative interaction with her.

And there’s one particular character in the alpha who’s especially likely to unavoidably pounce on you as soon as you get home from a long journey, demanding a difficult dialogue just when you’re least equipped to handle it. Both times I played this scene, the conversation broke down, because though I was trying my best to be constructive, I just didn’t have the resources right then.

I don’t think I’ve ever seen a conversation game represent this effect, and it resonated with me so much. I love talking to people, but when I’m really tired, it becomes substantially harder for me — harder to think what I want to say next, harder to project energy and emotional warmth, harder to interpret social cues from people I don’t already know well.

For a couple years of GDC, I got annoyed with myself because I found networking parties rough going. Then a friend pointed out to me what should have been obvious. I’ve learned a lot of ways of masking and compensating, but I am a massive introvert. Social time drains me, even if I’m truly enjoying it. And 10 PM in a loud room after fourteen hours of other social and intellectual demands is pretty much the worst possible context to expect myself to be sparkly at strangers. I stopped trying to force myself to spend hours at a loud party every night and came up with some other strategies for getting to talk to people that would work better for me.

I feel really seen by this conversation mechanic, is what I’m saying here.

It’s not all mechanics of frustration, though. Partway through the alpha, you get a dog, Thunder. You can have conversation encounters with Thunder, too — but all Thunder’s cards are rainbow pawprint cards that match with everything. It doesn’t matter what you say to Thunder; he will always love you.

Thunder’s deck is nothing but affection.

There’s a lot the conversation mechanic also doesn’t do, in significant difference from most conversational games:

  • portray the protagonist’s speech verbatim at all: we never see a literal representation of anything “you” say
  • allow you to steer to particular topics. Characters want to talk about what they want to talk about, and that will either succeed or fail, but you can’t redirect their course
  • offer you explicit choices where you’re choosing whether or not to do someone a favor or answer a question
  • represent your skills as stats or traits. Everything you’re able to do is represented by the contents of your deck and how you choose to play it

I’m also not entirely sure yet how much statefulness there is in your relationships with other characters; I think I’d need to play beyond the scope of an alpha to find that out.

Anyway. There’s even more I could say here, and I’ve already rattled on quite a long time: about how I like the art style, and how the UI feels very friendly and smooth, and how the setting confronts a climate-changed future but without implying total despair; about how it offers success and failure but in a very gentle way with lots of grades of partial success or interesting consequence to failure, so that you never feel kicked or bullied by the game.

It’s really a generous-spirited and observant piece and I cannot wait for there to be a lot more of it to play.

Read the whole story
106 days ago
Share this story

Thirty-Two Short Stories About Jeffrey Epstein

1 Share

Today at The Atlantic: link.

Copyright 2017 by the named Popehat author.
Read the whole story
158 days ago
Share this story
Next Page of Stories