Welcome to the new year! Threads this week include a brief analysis of the legal problems in store if SOPA and PROTECT-IP become law, what an analysis of the problems with Best Buy might teach libraries, and why open source licensing of clinical tools is important.

Feel free to send this to others you think might be interested in the topics. If you find these threads interesting and useful, you might want to add the Thursday Threads RSS Feed to your feed reader or subscribe to e-mail delivery using the form to the right. New this year is that Pinboard has replaced FriendFeed as my primary aggregation service. If you would like a more raw and immediate version of these types of stories, watch my Pinboard bookmarks (or subscribe to its feed in your feed reader). Items posted to are also sent out as tweets; you can follow me on Twitter. Comments and tips, as always, are welcome.

A Look at the Legal Aspects of SOPA and PROTECT-IP

Two bills now pending in Congress—the PROTECT IP Act of 2011 (Protect IP) in the Senate and the Stop Online Piracy Act (SOPA) in the House—represent the latest legislative attempts to address a serious global problem: large-scale online copyright and trademark infringement. Although the bills differ in certain respects, they share an underlying approach and an enforcement philosophy that pose grave constitutional problems and that could have potentially disastrous consequences for the stability and security of the Internet’s addressing system, for the principle of interconnectivity that has helped drive the Internet’s extraordinary growth, and for free expression.

- Don’t Break the Internet, by Mark Lemley, David S. Levine, and David G. Post, Stanford Law Review

In case you missed the dramatic events in the last days of 2011, SOPA and PROTECT-IP Act, just before Congress recessed for the year lawmakers concerned with the provisions of SOPA offered and debated enough amendments to the draft legislation that they effectively stalled passage through the House Judiciary Committee. At the end of the last committee meeting, the sponsors of SOPA acknowledged that there were significant issues and seemed to agree that they needed a confidential briefing from the Department of Homeland Security on the possible effects on DNSSEC — a highly technical but very important consideration. (Why it needs to be confidential when DNSSEC is an open specification stretches my imagination, but there you go…)

This paper by Lemley, Levine and Post describes the legal implications of enforcing the key provisions of SOPA and PROTECT-IP as drafted. The authors say “the bills represent an unprecedented, legally sanctioned assault on the Internet’s critical technical infrastructure” and describe how it is a bad prescient and why it won’t work in the end. In more positive news, there is an effort underway to draft legislation that would accomplish much of what SOPA and PROTECT-IP say they want to do without many of the downsides.

Why Best Buy is Going out of Business…Gradually

Electronics retailer Best Buy is headed for the exits. I can’t say when exactly, but my guess is that it’s only a matter of time, maybe a few more years.

- Why Best Buy is Going out of Business…Gradually, by Larry Downes, Forbes

The authors tell a story about how as a Best Buy customer he was approached by a salesperson wanting to sell him an on-demand video package of some sort, and that reminded me just a little bit from my academic experience of trying to push bibliographic instruction on students rather than solving the problem they had at hand. The article goes on to describe how online retailers like Amazon are more in tune with customer needs and demands. I couldn’t help but wonder if our library processes and procedures and polices are more like Best Buy or more like Amazon. From what I hear at my consortial perspective we are trending towards Amazon, but are we going to get there fast enough?

By the way, I can highly recommend a recent 51 minute audio interview with Robert Stephens, founder of the Geek Squad and now Chief Technology Officer of Best Buy (after Best Buy purchased and integrated the Geek Squad electronics service chain early last decade. It is a fascinating view of how customer service must trump all other concerns, and how efficiently executing customer service is the true path to survival. There are some lessons in there for libraries as well.

Open Source Licensing Defuses Copyright Law’s Threat to Medicine

Enforcing copyright law could potentially interfere with patient care, stifle innovation and discourage research, but using open source licensing instead can prevent the problem, according to a physician – who practices both at the University of California, San Francisco and the San Francisco VA Medical Center – and a legal scholar at the UC Hastings College of Law.

- Open Source Licensing Defuses Copyright Law’s Threat to Medicine, News service of the University of California, San Francisco

Here’s something to think about. What if new medical advances where suppressed because the diagnostic instruments used were protected by copyright. The doctor in the above article goes on to say that clinical tools tend to resemble one another “not because their creators are unoriginal, but because the tools are based on the same research and the same science.” That is a legal grey area where clinics decide to err on the side of caution and not use something that could be protected by copyright. It sort of reminds me about the unsettled law surrounding orphan works — just enough grey to stifle innovation.

Another “by the way”: I can also recommend a 16 minute recording of Karen Sandler speaking at the recent O’Reilly Media Open Source conference on the need to publish the source code of embedded medical devices under an open source license so the programs could be independently inspected. It, too, comes by way of the IT Conversations podcast. Two podcast mentions in one DLTJ Thursday Threads? What can I say…I listened to a lot of podcasts over the December break.

I’m starting something new on DLTJ: Thursday Threads — summaries and pointers of stories, services, and other stuff that I found interesting in the previous seven days. This is culled from entries that I post to my FriendFeed lifestream through various channels (Google Reader shared items, citations shared in Zotero, Twitter posts, etc.), but since I know not everyone is using those services, it might be useful to post the best-of-the-selected here once a week. Why Thursday? Somewhere long ago I read that Thursday at 11am is the best time to put a post on a blog because Thursday lunch through Friday are the most active time for readers. I have no idea whether that is true or not, but lacking any evidence to the contrary, Thursday morning will do fine. (Obviously I’m a little late on this first one, but I’ll try to do better next time. Or not — maybe this will be a one-off weekly thing.)

MagCloud — On-demand printing of magazines

MagCloud, the revolutionary new self-publishing web service from HP, is changing the way ideas, stories, and images find their way into peoples’ hands in a printed magazine format. Whether you are a novice or experienced publisher, MagCloud offers you a way to create commercial quality magazines, printed on demand with no upfront costs or minimum print runs. MagCloud is creating new ways to bring consumers and publishers together in a web-based marketplace where choice, flexibility and print on demand are the cornerstones of the community.

Could be useful for short-run, professional printing. I learned about this via a conference call with the editorial board of the NISO International Standards Quarterly.

Chris Anderson: How web video powers global innovation (TED Talk)

TED’s Chris Anderson says the rise of web video is driving a worldwide phenomenon he calls Crowd Accelerated Innovation — a self-fueling cycle of learning that could be as significant as the invention of print. But to tap into its power, organizations will need to embrace radical openness. And for TED, it means the dawn of a whole new chapter …

TED curator Chris Anderson takes the stage to talk about what he has seen as the impact of putting TED talks on the net specifically as well as the general case for the impact of services like YouTube on worldwide culture. This is definitely gets one thinking about the power of the visual medium. Closer to home, it also should get one thinking about assisting library patrons in creating and curating this content, no?

Plain English

Every field has its own jargon that’s meaningless to everyone else. Sometimes you want to translate a given -ese into lay terms while preserving the original text. Plain English is designed to facilitate this. The premise is straightforward: The original text is highlighted in yellow. When you click on a phrase, it toggles to the re-written simpler version, in gray. Buttons at the top allow you to toggle the whole thing at once. The words are stored in a simple JSON file.

From the laboratory of Slate Magazine comes this technique for toggling between one set of words and its translated form. I first found this on the NPR Planet Money blog in a post titled The Fed, Translated Into English. They used it to “translate” Fed-speak (e.g. the very dense statements released by the U.S. Federal Reserve) into more common language.

Google New

The one place to find everything new from Google.

Found via Jason Griffey’s post on his American Libraries Perpetual Beta blog. I noted there my frustration that Google New didn’t have an RSS feed to make this list of new things more machine-actionable. I still think that this missing feed functionality is strange, and if I get a chance at some point I’ll try to feed the page through Yahoo! Pipes to make one.

Rising Into the Public Domain: The Copyright Review Management System (CRMS) at the University of Michigan

Interview with John Wilkin, Associate University Librarian for Library Information Technology and Executive Director, HathiTrust and Principal Investigator for CRMS

Interesting insight into how the University of Michigan is tackling the 1923-1963 orphan works problem. (Found via James Grimmelmann)

$1000 bounty offered for JPEG2000 support in Firefox

We’ve waited long enough. Apparently Firefox needs to be dragged kicking and screaming into the early 2000′s. I have a financial interest in seeing this implemented, so I’m going to step up.

I’m going to offer a $1000 bounty for native JPEG2000 support in Firefox, on Windows, Mac, and Linux.

Comment #155 on this feature request has someone putting up real money to have a developer integrate JPEG2000 into the Firefox browser. The ensuing discussion gives a glimpse into how hard and how easy it could be.

White House Issues IPv6 Directive

Network World reports: Federal CIO Vivek Kundra has issued a directive requiring all U.S. government agencies to upgrade their public-facing Web sites and services by Sept. 30, 2012 to support IPv6, the long-anticipated upgrade to the Internet’s main communications protocol. Kundra’s memo mandates that agencies use native IPv6 instead of transition mechanisms that translate between IPv6 and the current standard, which is known as IPv4.

You may not have heard this, but we’re running out of IP addresses. An IP address is the thing computers use to find each other on the net (and not to be confused with domain name system (DNS) addresses — the human friendly things that we put on our business cards and advertisements). In the current version of the Internet Protocol (IPv4), we only have about 4 billion addresses and we’ve used up 95% of them. There has been a big press this year to move to the next generation Internet Protocol (IPv6) that will give us 340 billion billion billion billion addresses (or roughly 50 billion billion billion addresses for each person alive in 2012 when the 4 billion addresses of the existing Internet Protocol run out). The entry of the federal government into the push for IPv6 is expected to accelerate adoption of the new standard.

The famous 1993 cartoon from The New Yorker has the caption “On the Internet, nobody knows you’re a dog.” The question at the moment is: when you’re on the internet, how do you know you are not talking to a dog? When you ask to connect to a remote service, you expect to connect to that remote service. You probably don’t even think about the possibility that “myspace.com” might not be “myspace.com”. But what if you couldn’t rely on that? How about “mybank.com”? Believe it or not, you may exist in such a world today. Last week, US-CERT issued a “Vulnerability Note” on Multiple DNS implementations vulnerable to cache poisoning. What does that mean? Read on…

DNS: The Internet’s Addressbook

It is the Domain Name System, or DNS, that translates an easily recognizable name to an IP address. DNS is a distributed database of names-to-numbers (and numbers-to-names and all sorts of other mappings). A network machine — say, your desktop computer — is running a program (a web browser) that needs to connect to a server. It relies on a DNS client to perform the name-to-number mapping. This figure shows a simplified relationship between all of the parts.

Sequence Diagram Showing Normal DNS Operation

On your computer, the web browser makes a request with the local DNS client to one of the DNS servers it knows. (You’ll see this DNS service listed if you look at the network properties on your computer.) DNS servers can, and typically do, remember the answers to recently asked questions from other DNS clients (a feature called “caching”); if the DNS server can answer the question from its cache, it will. If not, one of two things can happen: 1) DNS Server 1 can send a message back saying it doesn’t know but suggest where it might go to find an answer; or 2) attempt to find the answer itself and send it back to the DNS client. The latter is what is pictured above and is called “recursive name resolution”. DNS Server 1 can also cache the information so as to answer a subsequent question for the same information without having to go out and ask another DNS server for it. ²

When DNS Goes Bad

An attacker with the ability to conduct a successful cache poisoning attack can cause a nameserver’s clients to contact the incorrect, and possibly malicious, hosts for particular services. Consequently, web traffic, email, and other important network data can be redirected to systems under the attacker’s control.

In other words, some rogue agent out on the net tries to inject bad information into a DNS cache by sending specially constructed answers to questions that the caching DNS server never asked. That looks something like this.

Sequence Diagram Showing the Effect of DNS Cache Poisoning

As the US-CERT advisory points out, this is a bad thing. Many internet services rely on the fact that when they ask to connect to a host with a specified name that they will in fact be talking to a host with that name. You want to know that you are sending and receiving e-mail from the servers you expect and that the websites you get information from are the true, correct servers. DNS cache poisoning effectively hides this because the address bar in the browser looks correct.

Beyond Phishing

One Possible Workaround, One Possible Problem

However, in the course of writing this posting, I discovered that OpenDNS itself is engaging in something moderately equivalent to DNS cache poisoning itself, and it is doing it with the address of the most popular website: www.google.com. The problem seems to stem from issues that OpenDNS users were having with hidden software installed on Dell machines as a result of a Dell/Google agreement. David Ulevitch, Founder and CEO of OpenDNS, posted about the impact of Dell/Google’s actions and OpenDNS’s response on the OpenDNS blog last year.

About a year ago Google and Dell announced a partnership to include the Google Toolbar on new Dell computers. At the same time, Google was trying to convince the Department of Justice that changing the default search engine in the (then) new IE7 was too difficult (when in reality it’s really simple). Installing the toolbar meant that users would have Google as their default search engine in IE7. It also meant that Dell and Google would share some of the revenue from the advertising clicks that resulted from these installations, much like The Mozilla Foundation does with its Firefox browser. …

The solution to this problem was to route Google requests through a machine we run to check if the request is a typo or one of your shortcuts. If it is a typo or shortcut then we do what we always do, just fix the typo or launch your shortcut and send you off on your way. If it’s not one of those two things, we pass it on to Google for them to give you search results. This solution provides the best of both worlds: OpenDNS users get back the features that they love and Google continues to operate without problems.

This is what it looks like in a picture:

Sequence Diagram Showing the OpenDNS Response to Dell/Google

Danny Sullivan of Search Engine Land has a more in-depth analysis of Google’s and Dell’s actions. David offers a defense of OpenDNS’s response in a comments on a post to Slashdot (this is the sharpest and most poignant). If offering OpenDNS as a fix for DNS cache poisoning is two steps forward, then OpenDNS’s response to the Dell/Google action is, at best, one step back. I would prefer that Dell not automatically install functionality like this on my PC. I would also strongly prefer that DNS resolvers not try to be too cute. Fortunately, it is possible to turn off this behavior in OpenDNS, which I prefer to do. But, all told, this is just one more lesson about how important the Domain Name Services is to the fundamental operation of the internet, and how easy it is to take for granted.

Updates

Also, there is a C|Net news article talking about how this broad, deep, and important problem was discovered and incrementally disclosed. It is a very interesting read for those who like to know about how internet security happens.

Footnotes

1. This happens with a technique called “Network Address Translation” or NAT. NAT was created to conserve the internet address space (among other reasons) by putting multiple computers behind a device that makes all of the computers look like one machine to the outside world. If you connect to the rest of the world via a small hub, you’re probably using NAT. If the IP address of your computer starts with “10″ or “192.168″ you are definitely using NAT.
2. The amount of time a caching DNS server can hold onto information on behalf of an “authoritative” DNS server is specified as part of the DNS protocol, but such consideration is outside the scope of what is being talked about here.