Daily Archives: April 19, 2020

Sale of .Org Registry Stalled for a few weeks After California AG Steps In

Posted on by

The Internet Corporation for Assigned Names and Numbers (ICANN) has delayed a decision on whether to allow the sale of the organization that controls .org registrations to a band of private equity ghouls after the California attorney general’s office issued a warning

Domain names with .org suffix are used by countless nonprofits, in part because the nonprofit selected by ICANN to run the .org top-level domain—the Internet Society’s Public Interest Registry (ISOC/PIR)—has kept the cost of registration very low year after year. In theory, though, running that .org registry could be a cash cow to anyone who bought it and jacked up the prices, as nonprofits seeking the renewal of .org domains would be a captive market. Such an opportunity would be especially alluring as ICANN removed price caps on .org registration fees in 2019.

That egregious scenario appears to be in the cards with Ethos Capital, a private equity firm that came out of nowhere to offer ISOC $1.1 billion for control of the PIR, which would be converted to a for-profit firm. (While Ethos appears to only have two employees, it is backed by the tight-fisted goons at Perot Holdings, Fidelity Investments owner FMR LLC, and Solamere Capital, which was started by Mitt Romney’s son.) Ethos has sought to allay concerns with a series of meaningless commitments, such as limiting price increase to 10 percent per year for the first eight years, or approximately 214 percent in under a decade.

ISOC has more or less admitted that it considered the $1.1 billion offer out of greed, with officials telling the L.A. Times the number was so huge “we couldn’t just say no without considering.” ISOC has cleared the sale to move forward, despite the opposition of its own Chapters Advisory Council and the troubling arrangement that PIR would take on $300 million in debt as part of the deal, putting it under immense pressure to rapidly increase revenue. But one big catch is ICANN has to approve the deal or it might fall through. As Ars Technica noted, ICANN’s governance structure allows only limited influence from the internet community and it is subject to only lax regulation from the feds, while the Ethos deal involves several former ICANN officials, so any approval would immediately come under suspicion.

In a letter dated April 15, state A.G. Xavier Becerra—whose office demanded to see confidential documents in January—put everyone involved on blast. Becerra’s letter opens by citing his authority to regulate California-based charitable trusts and public benefits organizations, then cites elements of ICANN’s charter to warn the org that it “must exercise its authority to withhold approval”:

ICANN selected PIR as the registry operator for the .ORG top level domain because of PIR’s commitment to “institute mechanisms for promoting the registry’s operation in a manner that is responsive to the needs, concerns, and views of the non-commercial Internet user community.” If, as proposed, Ethos Capital is permitted to purchase PIR, it will no longer have the unique characteristics that ICANN valued at the time that it selected PIR as the nonprofit to be responsible for the .ORG registry. In effect, what is at stake is the transfer of the world’s second largest registry to a for-profit private equity firm that, by design, exists to profit from millions of nonprofit and non-commercial organizations.

According to the Register, sources with knowledge of the matter said that the letter had unnerved ICANN enough to delay a planned decision on the sale from April 17 to May 4. The California Attorney General’s office declined to comment on whether its investigation into the deal has turned up new information, citing the inquiry’s ongoing nature. But the letter makes clear that the AG has identified particularly troubling elements of an already suspicious arrangement.

“PIR and Ethos have failed to respond to ICANN’s questions regarding PIR’s financial picture after the sale,” Becerra wrote in the letter. “PIR maintains that its anticipated income will be sufficient to service the $300 million loan necessary to complete this purchase and maintain its level of operation. Additionally, as a for-profit entity, PIR will now incur tax liabilities, and its loan will be due in five years.”

“It is, therefore, disturbing that Ethos has failed to identify the new services it contends will generate the necessary revenue to cover those expenses,” he added. “While PIR currently has sufficient income for its operations, as a nonprofit it pays no taxes and is not saddled with a $300 million loan and investors who expect a rate of return.”

Becerra then questioned whether ISOC actually has a legitimate reason to sell the PIR, how the Ethos deal would actually solve those problems, and whether the process by which it agreed to the sale was in good faith:

There has been too little information provided about the sale process by which the proposed transfer sale was agreed to by ISOC. If ISOC was concerned about diversifying its revenue streams, what did ISOC do, if anything, before deciding to sell the .ORG registry agreement? Why did ISOC not conduct a competitive bid process for a new registry operator if it wanted a change in the registry operator? Did ISOC explore options other than a sale to a private equity firm, given that its nonprofit status was key to PIR becoming the .ORG registrar? What consultation, if any, did ISOC conduct with its stakeholders prior to proceeding with the proposed sale?

Furthermore, Becerra warned that ICANN’s arrangement with ISOC to handle the .org registry through PIR “contains a presumption in favor of renewing the agreement following its expiration,” stating that section “makes no sense” if PIR is converted to a for-profit entity.

“Empowering a for-profit entity that could undermine the accessibility and affordability of the .org domain, which serves nonprofits, should concern all of us,” Becerra told Gizmodo in a statement. “We’re urging ICANN to deny the request to transfer control of the .org domain to a for-profit private equity firm. In California, we’re committed to an Internet that serves everyone and we’re simply concerned that this transfer puts profits above the public interest.”

According to the Register, ICANN’s founding CEO Mike Roberts and founding chairman Esther Dyson wrote a letter to Becerra earlier this month accusing ICANN of hypocrisy and urging him to delay the deal by six months.

Becerra didn’t explicitly threaten ICANN or ISOC in the letter, but he did end the letter by reiterating that his office has jurisdiction to intervene.

“ISOC and PIR are charitable organizations that are accountable to their community stakeholders and to the public at large,” Becerra concluded. “… This office will continue to evaluate this matter, and will take whatever action necessary to protect Californians and the nonprofit community.”

In a statement on its website, ICANN acknowledged the letter but disputed that the deal would make PIR beholden only to the demands of its new private equity overlords.

“The Attorney General’s letter does not take into account the recent work that PIR has done to make the entity more responsible to the community,” ICANN wrote. “ICANN requested that PIR strengthen the Public Interest Commitments to ensure meaningful enforceability; a draft of the revised PICs has been provided to the ICANN Board.”

Source: Sale of .Org Registry Stalled After California AG Steps In

Buyer beware—that 2TB-6TB “NAS” drive you’ve been eyeing might be SMR – and won’t work in your NAS

Posted on by

Storage vendors, including but reportedly not limited to Western Digital, have quietly begun shipping SMR (Shingled Magnetic Recording) disks in place of earlier CMR (Conventional Magnetic Recording) disks.

SMR is a technology that allows vendors to eke out higher storage densities, netting more TB capacity on the same number of platters—or fewer platters, for the same amount of TB.

Until recently, the technology has only been seen in very large disks, which were typically clearly marked as “archival”. In addition to higher capacities, SMR is associated with much lower random I/O performance than CMR disks offer.

Storage vendors appear to be getting much bolder about deploying the new technology into ever-smaller formats, presumably to save a bit on manufacturing costs. A few weeks ago, a message popped up on the zfs-discuss mailing list:

WD and Seagate are both submarining Drive-managed SMR (DM-SMR) drives into channels, disguised as “normal” drives.

For WD REDs this shows as EFRX (standard drive) suffix being changed to EFAX suffix (DM-SMR) […] The only clue you’ll get about these drives being SMR is the appalling sequential write speeds (~40MB/s from blank) and the fact that they report a “trim” function.

The unexpected shift from CMR to SMR in these NAS (Network Attached Storage) drives has caused problems above and beyond simple performance; the user quoted above couldn’t get his SMR disks to stay in his ZFS storage array at all.

There has been speculation that the drives got kicked out of the arrays due to long timeouts—SMR disks need to perform garbage-collection routines in the background and store incoming writes in a small CMR-encoded write-cache area of the disk, before moving them to the main SMR encoded storage.

It’s possible that long periods of time with no new writes accepted triggered failure-detection routines that marked the disk as bad. We don’t know the details for certain, but several users have reported that these disks cannot be successfully used in their NAS systems—despite the fact that the name of the actual product is WD Red NAS Hard Drive.

[…]

What really grinds our gears about this is that the only conceivable reason to shift to SMR technology in such small disks—lowered manufacturing costs due to fewer platters required—doesn’t seem to be being passed down to the consumer. The screenshot above shows the Amazon price of a WD Red 2TB EFRX and WD Red 2TB EFAX—the EFRX is the faster CMR drive, and the EFAX is the much slower SMR drive.

Western Digital doesn’t appear to be the only hard drive manufacturer doing this—blocksandfiles has confirmed quiet, undocumented use of SMR in small retail drives from Seagate and Toshiba as well.

We suspect the greater ire aimed at Western Digital is due both to the prominent NAS branding of the Red line and the general best-in-class reputation it has enjoyed in that role for several years.

Source: Buyer beware—that 2TB-6TB “NAS” drive you’ve been eyeing might be SMR | Ars Technica

Security lapse exposed creepy Clearview AI source code

Posted on by

Since it exploded onto the scene in January after a newspaper exposé, Clearview AI quickly became one of the most elusive, secretive and reviled companies in the tech startup scene.

The controversial facial recognition startup allows its law enforcement users to take a picture of a person, upload it and match it against its alleged database of 3 billion images, which the company scraped from public social media profiles.

But for a time, a misconfigured server exposed the company’s internal files, apps and source code for anyone on the internet to find.

Mossab Hussein, chief security officer at Dubai-based cybersecurity firm SpiderSilk, found the repository storing Clearview’s source code. Although the repository was protected with a password, a misconfigured setting allowed anyone to register as a new user to log in to the system storing the code.

The repository contained Clearview’s source code, which could be used to compile and run the apps from scratch. The repository also stored some of the company’s secret keys and credentials, which granted access to Clearview’s cloud storage buckets. Inside those buckets, Clearview stored copies of its finished Windows, Mac and Android apps, as well as its iOS app, which Apple recently blocked for violating its rules. The storage buckets also contained early, pre-release developer app versions that are typically only for testing, Hussein said.

The repository also exposed Clearview’s Slack tokens, according to Hussein, which, if used, could have allowed password-less access to the company’s private messages and communications.

Clearview has been dogged by privacy concerns since it was forced out of stealth following a profile in The New York Times, but its technology has gone largely untested and the accuracy of its facial recognition tech unproven. Clearview claims it only allows law enforcement to use its technology, but reports show that the startup courted users from private businesses like Macy’s, Walmart and the NBA. But this latest security lapse is likely to invite greater scrutiny of the company’s security and privacy practices.

[…]

Ton-That accused the research firm of extortion, but emails between Clearview and SpiderSilk paint a different picture.

Hussein, who has previously reported security issues at several startups, including MoviePass, Remine and Blind, said he reported the exposure to Clearview but declined to accept a bounty, which he said if signed would have barred him from publicly disclosing the security lapse.

It’s not uncommon for companies to use bug bounty terms and conditions or non-disclosure agreements to prevent the disclosure of security lapses once they are fixed. But experts told TechCrunch that researchers are not obligated to accept a bounty or agree to disclosure rules.

Ton-That said that Clearview has “done a full forensic audit of the host to confirm no other unauthorized access occurred.” He also confirmed that the secret keys have been changed and no longer work.

Hussein’s findings offer a rare glimpse into the operations of the secretive company. One screenshot shared by Hussein showed code and apps referencing the company’s Insight Camera, which Ton-That described as a “prototype” camera, since discontinued.

A screenshot of Clearview AI’s app for macOS. It connects to Clearview’s database through an API. The app also references Clearview’s former prototype camera hardware, Insight Camera.

According to BuzzFeed News, one of the firms that tested the cameras is New York City real estate firm Rudin Management, which trialed use of a camera at two of its city residential buildings.

Hussein said that he found some 70,000 videos in one of Clearview’s cloud storage buckets, taken from a camera installed at face-height in the lobby of a residential building. The videos show residents entering and leaving the building.

Source: Security lapse exposed Clearview AI source code | TechCrunch