Thursday, April 30, 2020

Google wants Australia to remove civil penalties from CLOUD Act-readying Bill


Google has raised a handful of concerns with Australia's pending Telecommunications Legislation Amendment (International Production Orders) Bill 2020 (IPO Bill), including the Commonwealth's choice of phrasing, the avenues proposed for record-sharing, and the Bill being at odds with the purpose of the United States' Clarifying Lawful Overseas Use of Data Act (CLOUD Act).

The IPO Bill is intended to amend the Telecommunications (Interception and Access) Act 1979 (TIA Act) to create a framework for Australian agencies to gain access to stored telecommunications data from foreign designated communication providers in countries that have an agreement with Australia, and vice versa. It would also remove the ability for nominated Administrative Appeals Tribunal members to issue certain warrants.

The Bill is a precondition for Australia to obtain a proposed bilateral agreement with the United States in order to implement the CLOUD Act.

The CLOUD Act creates a legal framework regulating how law enforcement can access data across borders.

If the agreement is finalised and approved, service providers in Australia and the US would be able to respond to lawful orders from the other country for access to electronic evidence.

A bilateral CLOUD Act agreement would enable Australian law enforcement to serve domestic orders for communications data needed to combat serious crime directly on US-based companies, and vice versa.

In a submission [PDF] to the Parliamentary Joint Committee on Intelligence and Security (PJCIS) and its review of the IPO Bill, Google said while it encourages and supports efforts by the Australian government to negotiate an executive agreement, it said there are certain elements of the Bill that give it cause for concern.

"Especially when considering how the interception powers under this Bill could be used in tandem with technical capability notices under the controversial Telecommunications and Other Legislation (Assistance and Access) Act," it wrote.

Making a recommendation to the PJCIS, Google said the Bill should not apply to service providers in their capacity as infrastructure providers to corporations or government entities, saying corporations or government entities are best placed to produce the requested records themselves.

See also: Frydenberg says Canberra will not bow to threats from Google and Facebook

Under the Bill, designated communications providers are instructed to provide any requested communications and data to the requesting agency or the Australian Designated Authority. Google would prefer the authority to be a two-way channel.

"Respectfully, our experience is that a better approach would be that all communications to and from an Australian law enforcement agency be channelled through the Designated Authority and that this authority acts as a coordinator across multiple agencies," it wrote.

"Putting in place a coordinating body will guard against the risk of duplication and will act as a single point of contact for training, education, and access to designated communications providers."

Google also poked holes in the Bill's enforcement threshold.

Civil penalties for non-compliance with an IPO establishes a framework for compliance. If a designated communications provider receives a valid IPO and the designated communications provider meets the "enforcement threshold" when the IPO is issued, the designated communications provider must comply with the IPO.

Google labelled the two-step test that is the threshold, a "relatively low bar to meet".

"Failure to comply with an IPO may lead to a civil penalty of up to AU$10 million for body corporates. The imposition of a mandatory obligation to comply with an IPO is contrary to the purpose of the CLOUD Act which is to lift blocking statutes, but explicitly does not create a compulsory obligation on service providers," it said.

"The authors of the Bill appear to be aware of this dichotomy as the Bill explicitly asserts that Australian service providers do not have to comply with reciprocal requests from international agencies."

Specifically, the search giant said it was concerned by the attempt to impose a mandatory obligation on overseas-based designated communications providers that exists "only in the construct of an otherwise non-compulsory international agreement".

"[We] respectfully request that this be amended to reflect the intent of the CLOUD Act, which is that enforcement procedures be found in existing law, and that references to civil penalties be removed," it wrote.

Elsewhere, Google is seeking further information about the role that eligible judges will play in approving IPOs that involve the interception of communications.

It also wants the appeal options contained within the Bill to be strengthened.

"Deferring to existing appeal mechanisms is not satisfactory given the lack of appropriate merit based appeal processes in other relevant legislation such as the TOLA Act," it continued.

"The reliance on existing law as the primary source for appeal procedures is especially problematic … in particular, overseas providers may be subject to other third-country laws, conflicts with which are not and cannot be lifted through the international agreement, yet no option would exist to raise such an impediment to compliance."

Google said this would create exactly the type of conflict of laws scenario that the CLOUD Act is designed to prevent.

RELATED COVERAGE



from Latest Topic for ZDNet in... https://ift.tt/2VS1YXp

The New Gatekeepers: Private Firms as Public Enforcers

The world’s largest businesses must routinely police other businesses. By public mandate, Facebook monitors app developers’ privacy safeguards, Citibank audits call centers for deceptive sales practices, and Exxon reviews offshore oil platforms’ environmental standards. Scholars have devoted significant attention to how policy makers deploy other private sector enforcers, such as certification bodies, accountants, lawyers, and other periphery “gatekeepers.” However, the literature has paid insufficient attention to the emerging regulatory conscription of large firms at the center of the economy. This Article examines the rise of the enforcer-firm through case studies of the industries that are home to the most valuable companies in technology, banking, oil, and pharmaceuticals. Over the past two decades, administrative agencies have used legal rules, guidance documents, and court orders to mandate that private firms in these and other industries perform the duties of a public regulator. More specifically, firms must write rules in their contracts that reserve the right to inspect third parties. When they find violations, they must pressure or punish the wrongdoer. This form of governance has important intellectual and policy implications. It imposes more of a public duty on the firm, alters corporate governance, and may even reshape business organizations. It also gives resource-strapped regulators promising tools. If designed poorly, however, the enforcer-firm will create an expansive area of unaccountable authority. Any comprehensive account of the firm or regulation must give a prominent role to the administrative state’s newest gatekeepers. 

Click on a link below to access the full text of this article. These are third-party content providers and may require a separate subscription for access.



from Hacker News https://ift.tt/2KL3GDI

Benefits of Forced Experimentation: Evidence from the London Underground (2015) [pdf]

Comments

from Hacker News https://ift.tt/3cACIKW

ICANN Board Withholds Consent for a Change of Control of the .org TLD

Today, the ICANN Board made the decision to reject the proposed change of control and entity conversion request that Public Interest Registry (PIR) submitted to ICANN.

After completing extensive due diligence, the ICANN Board finds that withholding consent of the transfer of PIR from the Internet Society (ISOC) to Ethos Capital is reasonable, and the right thing to do.

ICANN's role is to ensure the stable and secure operation of the Internet's unique identifier systems. We are dedicated to making the right decision, knowing that whatever we decide will be well received by some, and not by others. It is our responsibility to weigh all factors from an ICANN Bylaws and policies perspective, including considering the global public interest. We have done this diligently, ensuring as much transparency as possible and welcoming input from stakeholders throughout.

On 13 November 2019, PIR announced that ISOC, its parent organization, had reached an agreement with Ethos Capital, under which Ethos Capital would acquire PIR and all of its assets from ISOC. Under the agreement, PIR would also be converted from a Pennsylvania not-for-profit corporation to a for-profit Pennsylvania limited liability company. ISOC created and agreed to the transaction details that are under review.

On 14 November 2019, PIR formally submitted to ICANN a "Notice of Indirect Change of Control and Entity Conversion" in advance of closing the proposed transaction between Ethos Capital and ISOC. Since 2003, PIR has operated the .ORG generic top-level domain (gTLD) as a not-for-profit organization, as well as six other gTLDs. Per the gTLD Registry Agreements, ICANN must either approve or withhold consent of a proposed change of control, the deadline for which is 4 May 2020.

ICANN's role has been to evaluate the reasonableness of PIR's request for indirect change of control and entity conversion. In doing so, ICANN evaluated an extensive amount and variety of information related to the proposed transaction, including details of the transaction structure, financing, and other funding sources of Ethos Capital, the parties involved, the role of the Pennsylvania authorities, information related to financial resources and operational and technical capability, how the new for-profit PIR under the control of Ethos Capital would be responsive to the needs of the non-commercial community, what input the .ORG community had provided to PIR or ISOC on the proposed transaction, and how that community input would be reflected in the operations of PIR following its conversion.

Throughout this process, the ICANN Board has worked thoughtfully and thoroughly to determine if it is reasonable under PIR's Registry Agreements for ICANN to either approve or withhold consent to the proposed change of control. Before making our determination, the Board, among other things:

  • Conducted thorough due diligence
  • Received and reviewed hundreds of pages of documentation and responses provided by PIR, ISOC and Ethos Capital following ICANN issuing three requests for more information
  • Was briefed extensively by ICANN org
  • Received and considered more than 30 letters from stakeholders
  • Considered input from an ICANN67 public forum, views of the community and others who weighed in after we received PIR's Public Interest Commitments
  • Considered the opinions expressed in the California Attorney General's Office letter sent to ICANN on 15 April 2020

The Board was presented with a unique and complex situation – impacting one of the largest registries with more than 10.5 million domain names registered. After completing its evaluation, the ICANN Board finds that the public interest is better served in withholding consent as a result of various factors that create unacceptable uncertainty over the future of the third largest gTLD registry. Factors that were considered in determining reasonableness include, but are not limited to:

  • A change from the fundamental public interest nature of PIR to an entity that is bound to serve the interests of its corporate stakeholders, and which has no meaningful plan to protect or serve the .ORG community.
  • ICANN is being asked to agree to contract with a wholly different form of entity; instead of maintaining its contract with the mission-based, not-for-profit that has responsibly operated the .ORG registry for nearly 20 years, with the protections for its own community embedded in its mission and status as a not-for-profit entity.
  • The US$360 million debt instrument forces PIR to service that debt and provide returns to its shareholders, which raises further question about how the .ORG registrants will be protected or will benefit from this conversion. This is a fundamental change in financial position from a not-for-profit entity.
  • There are additional uncertainties, such as an untested Stewardship Council that might not be properly independent, or why PIR needs to change its corporate form to pursue new business initiatives.
  • The transaction as proposed relies on ICANN as a backstop for enforcement of disputes between the .ORG community and the registry operator in an untested manner.

The entire Board stands by this decision. After thorough due diligence and robust discussion, we concluded that this is the right decision to take. While recognizing the disappointment for some, we call upon all involved to find a healthy way forward, with a keen eye to provide the best possible support to the .ORG community.

The Board would like to thank the global community and stakeholders for their engagement.

The resolution and rationale document, which expands upon this decision is available, here.



from Hacker News https://ift.tt/2KLxOij?

The Inevitable Coronavirus Censorship Crisis

Earlier this week, Atlantic magazine – fast becoming the favored media outlet for self-styled intellectual elites of the Aspen Institute type – ran an in-depth article of the problems free speech pose to American society in the coronavirus era. The headline:

Internet Speech Will Never Go Back to Normal

In the debate over freedom versus control of the global network, China was largely correct, and the U.S. was wrong.

Authored by a pair of law professors from Harvard and the University of Arizona, Jack Goldsmith and Andrew Keane Woods, the piece argued that the American and Chinese approaches to monitoring the Internet were already not that dissimilar:

Constitutional and cultural differences mean that the private sector, rather than the federal and state governments, currently takes the lead in these practices… But the trend toward greater surveillance and speech control here, and toward the growing involvement of government, is undeniable and likely inexorable.

They went on to list all the reasons that, given that we’re already on an “inexorable” path to censorship, a Chinese-style system of speech control may not be such a bad thing. In fact, they argued, a benefit of the coronavirus was that it was waking us up to “how technical wizardry, data centralization, and private-public collaboration can do enormous public good.”

Perhaps, they posited, Americans could be moved to reconsider their “understanding” of the First and Fourth Amendments, as “the harms from digital speech” continue to grow, and “the social costs of a relatively open Internet multiply.”

This interesting take on the First Amendment was latest in a line of “Let’s rethink that whole democracy thing” that began sprouting up in earnest four years ago. Articles with headlines like “Democracies end when they become too democratic” and “Too much of a good thing: why we need less democracy” became common after two events in particular: Donald Trump’s victory in the the Republican primary race, and the decision by British voters to opt out of the EU, i.e. “Brexit.”

A consistent lament in these pieces was the widespread decline in respect for “experts” among the ignorant masses, better known as the people Trump was talking about when he gushed in February 2016, “I love the poorly educated!”

The Atlantic was at the forefront of the argument that The People is a Great Beast who cannot be trusted to play responsibly with the toys of freedom. A 2016 piece called “American politics has gone insane” pushed a return of the “smoke-filled room” to help save voters from themselves. Author Jonathan Rauch employed a metaphor that is striking in retrospect, describing America’s oft-vilified intellectual and political elite as society’s immune system:

Americans have been busy demonizing and disempowering political professionals and parties, which is like spending decades abusing and attacking your own immune system. Eventually, you will get sick.

The new piece by Goldsmith and Woods says we’re there, made literally sick by our refusal to accept the wisdom of experts. The time for asking the (again, literally) unwashed to listen harder to their betters is over. The Chinese system offers a way out. When it comes to speech, don’t ask: tell.


As the Atlantic lawyers were making their case, YouTube took down a widely-circulated video about coronavirus, citing a violation of “community guidelines.”

The offenders were Drs. Dan Erickson and Artin Massahi, co-owners of an “Urgent Care” clinic in Bakersfield, California. They’d held a presentation in which they argued that widespread lockdowns were perhaps not necessary, according to data they were collecting and analyzing.

“Millions of cases, small amounts of deaths,” said Erickson, a vigorous, cheery-looking Norwegian-American who argued the numbers showed Covid-19 was similar to flu in mortality rate.  “Does [that] necessitate shutdown, loss of jobs, destruction of oil companies, furloughing doctors…? I think the answer is going to be increasingly clear.”

The reaction of the medical community was severe. It was pointed out that the two men owned a clinic that was losing business thanks to the lockdown. The message boards of real E.R. doctors lit up with angry comments, scoffing at the doctors’ dubious (at best) data collection methods and even their somewhat dramatic choice to dress in scrubs for their video presentation.

The American Academy of Emergency Medicine (AAEM) and American College of Emergency Physicians (ACEP) scrambled to issue a joint statement to “emphatically condemn” the two doctors, who “do not speak for medical society” and had released “biased, non-peer reviewed data to advance their personal financial interests.”

As is now almost automatically the case in the media treatment of any controversy, the story was immediately packaged for “left” and “right” audiences by TV networks. Tucker Carlson on Fox backed up the doctors’ claims, saying “these are serious people who’ve done this for a living for decades” and YouTube and Google have “officially banned dissent.”

Meanwhile, over on Carlson’s opposite-number channel, MSNBC, anchor Chris Hayes of the All In program reacted with fury to Carlson’s monologue:

There’s a concerted effort on the part of influential people at the network that we at All In call Trump TV right now to peddle dangerous misinformation about the coronavirus… Call it coronavirus trutherism.

Hayes, an old acquaintance of mine, seethed at what he characterized as the gross indifference of Trump Republicans to the dangers of coronavirus. “At the beginning of this horrible period, the president, along with his lackeys, and propagandists, they all minimized what was coming,” he said, sneering. “They said it was just like a cold or the flu.”

He angrily demanded that if Fox acolytes like Carlson believed so strongly that society should be reopened, they should go work in a meat processing plant. “Get in there if you think it’s that bad. Go chop up some pork.”

The tone of the many media reactions to Erickson, Carlson, Trump, Georgia governor Brian Kemp, and others who’ve suggested lockdowns and strict shelter-in-place laws are either unnecessary or do more harm than good, fits with what writer Thomas Frank describes as a new “Utopia of Scolding”:

Who needs to win elections when you can personally reestablish the social order every day on Twitter and Facebook? When you can scold, and scold, and scold. That’s their future, and it’s a satisfying one: a finger wagging in some vulgar proletarian’s face, forever.

In the Trump years the sector of society we used to describe as liberal America became a giant finger-wagging machine. The news media, academia, the Democratic Party, show-business celebrities and masses of blue-checked Twitter virtuosos became a kind of umbrella agreement society, united by loathing of Trump and fury toward anyone who dissented with their preoccupations.

Because Conventional Wisdom viewed itself as being solely concerned with the Only Important Thing, i.e. removing Trump, there was no longer any legitimate excuse for disagreeing with Conventional Wisdom’s takes on Russia, Julian Assange, Jill Stein, Joe Rogan, the 25th amendment, Ukraine, the use of the word “treason,” the removal of Alex Jones, the movie Joker, or whatever else happened to be the #Resistance scolding fixation of the day.

When the Covid-19 crisis struck, the scolding utopia was no longer abstraction. The dream was reality! Pure communism had arrived! Failure to take scolding was no longer just a deplorable faux pas. Not heeding experts was now murder. It could not be tolerated. Media coverage quickly became a single, floridly-written tirade against “expertise-deniers.” For instance, the Atlantic headline on Kemp’s decision to end some shutdowns was, “Georgia’s Experiment in Human Sacrifice.”

At the outset of the crisis, America’s biggest internet platforms – Facebook, Twitter, Google, LinkedIn, and Reddit – took an unprecedented step to combat “fraud and misinformation” by promising extensive cooperation in elevating “authoritative” news over less reputable sources.

H.L. Mencken once said that in America, “the general average of intelligence, of knowledge, of competence, of integrity, of self-respect, of honor is so low that any man who knows his trade, does not fear ghosts, has read fifty good books, and practices the common decencies stands out as brilliantly as a wart on a bald head.”

We have a lot of dumb people in this country. But the difference between the stupidities cherished by the Idiocracy set injecting fish cleaner, and the ones pushed in places like the Atlantic, is that the jackasses among the “expert” class compound their wrongness by being so sure of themselves that they force others to go along. In other words, to combat “ignorance,” the scolders create a new and more virulent species of it: exclusive ignorance, forced ignorance, ignorance with staying power.

The people who want to add a censorship regime to a health crisis are more dangerous and more stupid by leaps and bounds than a president who tells people to inject disinfectant. It’s astonishing that they don’t see this.


Journalists are professional test-crammers. Our job is to get an assignment on Monday morning and by Tuesday evening or Wednesday morning act like we’re authorities on intellectual piracy, the civil war in Yemen, Iowa caucus procedure, the coronavirus, whatever. We actually know jack: we speed-read, make a few phone calls, and in a snap people are inviting us on television to tell millions of people what to think about the complex issues of the world.

When we come to a subject cold, the job is about consulting as many people who really know their stuff as quickly as possible and sussing out – often based on nothing more than hunches or impressions of the personalities involved – which set of explanations is most believable. Sportswriters who covered the Deflategate football scandal had to do this in order to explain the Ideal Gas Law, I had to do it to cover the subprime mortgage scandal, and reporters this past January and February had to do it when assigned to assess the coming coronavirus threat.

It does not take that much work to go back and find that a significant portion of the medical and epidemiological establishment called this disaster wrong when they were polled by reporters back in the beginning of the year. Right-wingers are having a blast collecting the headlines, and they should, given the chest-pounding at places like MSNBC about others who “minimized the risk.” Here’s a brief sample:

Get a Grippe, America: The flu is a much bigger threat than coronavirus, for now: Washington Post

Coronavirus is scary, but the flu is deadlier, more widespread : USA Today

Want to Protect Yourself From Coronavirus? Do the Same Things You Do Every Winter : Time

Here’s my personal favorite, from Wired on January 29:

We should de-escalate the war on coronavirus

There are dozens of these stories and they nearly all contain the same elements, including an inevitable quote or series of quotes from experts telling us to calm the hell down. This is from the Time piece:

“Good hand-washing helps. Staying healthy and eating healthy will also help,” says Dr. Sharon Nachman, a pediatric infectious disease specialist at New York’s Stony Brook Children’s Hospital. “The things we take for granted actually do work. It doesn’t matter what the virus is. The routine things work.”

There’s a reason why journalists should always keep their distance from priesthoods in any field. It’s particularly in the nature of insular communities of subject matter experts to coalesce around orthodoxies that blind the very people in the loop who should be the most knowledgeable.

“Experts” get things wrong for reasons that are innocent (they’ve all been taught the same incorrect thing in school) and less so (they have a financial or professional interest in denying the truth).

On the less nefarious side, the entire community of pollsters in 2016 denounced as infamous the idea that Donald Trump could win the Republican nomination, let alone the general election. They believed that because they weren’t paying attention, but also because they’d never seen anything similar. In a more suspicious example, if you asked a hundred Wall Street analysts in September 2008 what caused the financial crisis, probably no more than a handful would have mentioned fraud or malfeasance.

Both of the above examples point out a central problem with trying to automate the fact-checking process the way the Internet platforms have of late, with their emphasis on “authoritative” opinions.

Authorities by their nature are often wrong. Sometimes they have an interest in denying truths, and sometimes they actually try to define truth as being whatever they say it is. “Elevating authoritative content” over independent or less well-known sources is an algorithmic take on the journalistic obsession with credentialing that has been destroying our business for decades.

The WMD fiasco happened because journalists listened to people with military ranks and titles instead of demanding evidence and listening to their own instincts. The same thing happened with Russiagate, a story fueled by intelligence “experts” with grand titles who are now proven to have been wrong to a spectacular degree, if not actually criminally liable in pushing a fraud.

We’ve become incapable of talking calmly about possible solutions because we’ve lost the ability to decouple scientific or policy discussions, or simple issues of fact, from a political argument. Reporting on the Covid-19 crisis has become the latest in a line of moral manias with Donald Trump in the middle.

Instead of asking calmly if hydroxychloroquine works, or if the less restrictive Swedish crisis response has merit, or questioning why certain statistical assumptions about the seriousness of the crisis might have been off, we’re denouncing the questions themselves as infamous. Or we’re politicizing the framing of stories in a way that signals to readers what their take should be before they even digest the material. “Conservative Americans see coronavirus hope in Progressive Sweden,” reads a Politico headline, as if only conservatives should feel optimism in the possibility that a non-lockdown approach might have merit! Are we rooting for such an approach to not work?

From everything I’ve heard, talking to doctors and reading the background material, the Bakersfield doctors are probably not to be trusted. But the functional impact of removing their videos (in addition to giving them press they wouldn’t otherwise have had) is to stamp out discussion of things that do actually need to be discussed, like when the damage to the economy and the effects of other crisis-related problems – domestic abuse, substance abuse, suicide, stroke, abuse of children, etc. – become as significant a threat to the public as the pandemic. We do actually have to talk about this. We can’t not talk about it out of fear of being censored, or because we’re confusing real harm with political harm.

Turning ourselves into China for any reason is the definition of a cure being worse than the disease. The scolders who are being seduced by such thinking have to wake up, before we end up adding another disaster on top of the terrible one we’re already facing.



from Hacker News https://ift.tt/3bU1d5B

Customers should apply the April 2020 Critical Patch Update without delay!

Oracle has recently received reports of attempts to maliciously exploit a number of recently-patched vulnerabilities, including vulnerability CVE-2020-2883, which affects multiple versions of Oracle WebLogic Server.

Oracle strongly recommends that customers apply the April 2020 Critical Patch Update

Oracle Java Cloud Services customers should refer to MOS Support Note: “Security Notification for WLS CVE-2020-2883 in Java Cloud Service” (Doc ID 2664856.1) for detailed technical instructions.

For more information:



source https://blogs.oracle.com/security/apply-april-2020-cpu

Labor floats active cyber defence and a civilian cyber corps for Australia

tw.jpg

Shadow Assistant Communications Minister and Shadow Assistant Cyber Security Minister Tim Watts

Screenshot: Stilgherrian

A UK-style national Active Cyber Defence program (ACD) and a volunteer-driven Civilian Cyber Corps (C3) are two key components of a cyber resilience program being discussed by the Australian Labor Party.

"It's not just about critical infrastructure or government departments, although that's obviously a very big and important part of our cyber resilience," said Shadow Minister for Home Affairs, Immigration and Citizenship, Senator Kristina Keneally.

"As COVID-19 has shown, we need to think about how we protect small businesses, and the people who form the basis of our community and our economy."

Australia needs to push beyond the traditional defence and national security paradigm for cybersecurity, Keneally said, and start adopting a more "public health approach".

"When I say public health approach, I mean an approach that looks at the risk and the susceptibility of the nation as a whole rather than principally focusing on critical infrastructure or big-ticket capabilities, an approach that lifts the baseline cybersecurity capability throughout the nation."

On Friday Labor released a policy discussion paper titled National Cyber Resilience: Is Australia Prepared for a Computer Covid-19?.

It builds on last month's comments from the party's Shadow Assistant Communications Minister and Shadow Assistant Cyber Security Minister, Tim Watts, who had wondered how Australia would cope with a cyber-corona outbreak.

Watts was referring to a scenario where thousands of organisations fall victim, disrupting supply chains with similar effects to the coronavirus pandemic currently sweeping the planet.

Hoping to emulate the UK's active cyber defence 'big wins' 

"Active cyber defence could be a good initiative for improving the collective security of the Australian internet," Watts said in a roundtable hosted by the Australian Strategic Policy Institute International Cyber Policy Centre.

"The [ACD] framework is designed, in the words of the NCSC [National Cyber Security Centre, part of the Government Communications Headquarters], to take away most of the harm from most of the people most of the time."

ACD has been at the centre of the UK govrenment's cyber defences since 2016. It aims to raise the cost and risk of mounting commodity cyber attacks in the UK, and reducing return on investment for those criminals.

One of the NCSC's earliest ACD projects was to deploy the Domain Message Authentication Reporting and Conformance protocol (DMARC) across the .gov.uk domains to help eliminate spam and other email spoofing attacks.

NCSC began monitoring internet routing to stop DDoS attacks and route hijacks in 2018, and since then has had some big wins. They've even proposed building an automated national cyber defence system.

"Simple things done at scale can have a difference," said NCSC technical director Dr Ian Levy in 2018. "My job is not to beat cybercrime. It's to send it to France."

Last month the NCSC took down 2,000 coronavirus scammers as part of a major phishing campaign.

Watts says that the current state of Australia's cyber resilience is "very varied". The Australian Signals Directorate (ASD) and the big banks are "great, they're well placed", but ASX 50 companies are "a bit more mixed".

"When you look at Commonwealth entities, they're a decidedly mixed bag. We've got a very substantial body of evidence from the Australian National Audit Office there," Watts said.

"And then when you look at small business, they're really not able to protect themselves from commodity cyber attacks, let alone anything more sophisticated."

From cyber posse to cyber civil corps

Watts is "personally attracted" to the potential of some sort of civilian cyber defence organisation.

"It's a volunteer-driven organisation with a professional framework that allows part time [or] retired volunteer people with cybersecurity skills to leverage up their expertise and build capacity through their organisations," he said.

"Whatever we're doing in this post-COVID-19 space in national cyber resilience, our view is that it needs to work fundamentally through the broader community."

The C3 concept is not dissimilar to the Rural Fire Service (RFS) or State Emergency Service (SES) organisations that already exist in Australia at the state level.

It's also a concept that has some history.

Back in 2012, critical infrastructure security expert Emeritus Professor Bill Caelli suggested forming a cyber posse when needed.

Under common law, Caelli argued, police or other authorities could simply enlist any technically adept citizens and form a posse to deal with the bad guys.

In 2016, Professor Greg Austin, then at the Australian Centre for Cyber Security (ACCS) at the Australian Defence Force Academy (ADFA) in Canberra, proposed an Australian Cyber Civil Corps.

The corps would consist of organised volunteer "rapid response teams" to deal with "extreme cyber emergencies" in the civil sector.

"Extreme cyber emergencies in the civil sector in cyber space are of such low probability that a full-time standing response force cannot be justified, even if Australia could afford it," Austin wrote.

Austin sharpened his call for such an organisation in 2019.

The Research Group on Cyber War and Peace at the University of New South Wales Canberra Australian Defence Force Academy, which he led, noted that Australia was "not adequately prepared" for a so-called "cyber storm", or multi-vector, multi-wave destructive cyber attack against the country's infrastructure.

"The benefit of the SES model is that it brings together disciplined structures of command authority through a relevant Minister, the commissioner, zone commanders, local commanders and unit commanders," the research group wrote.

"The current practice of appointing retired military commanders to commissioner roles in some states also provides a useful pointer for cyber civil defence policy. In the current New South Wales SES Act, state police are subordinated to the SES Commissioner in the event of emergency."

Watts sees a preventative role for 3C organisations, including community outreach and education.

"New America Foundation, the US think tank, has published a piece where they articulate a model where groups like this could actually do testing, assessments, and exercises with local not-for-profits, with small businesses," he said.

"Once you build that capability throughout the society, you also have this potential for an on-call expertise resource ... if there is a large scale cyber incident."

Labor stressed that the discussion paper is not a commitment to policy positions.

"We want to put forward some ideas to explore as we seek to develop our policies," Keneally said.

"We want to ensure that we are thoroughly investigating as a party, as an opposition, as a party of government, and with key stakeholders, what the Australian government should be looking at now, and how we should be prepared for cyber threats in the future."

MORE AUSTRALIAN CYBER



from Latest Topic for ZDNet in... https://ift.tt/2Yo6bnA

ICANN Board Withholds Consent for a Change of Control of the .org Registry

Today, the ICANN Board made the decision to reject the proposed change of control and entity conversion request that Public Interest Registry (PIR) submitted to ICANN.

After completing extensive due diligence, the ICANN Board finds that withholding consent of the transfer of PIR from the Internet Society (ISOC) to Ethos Capital is reasonable, and the right thing to do.

ICANN's role is to ensure the stable and secure operation of the Internet's unique identifier systems. We are dedicated to making the right decision, knowing that whatever we decide will be well received by some, and not by others. It is our responsibility to weigh all factors from an ICANN Bylaws and policies perspective, including considering the global public interest. We have done this diligently, ensuring as much transparency as possible and welcoming input from stakeholders throughout.

On 13 November 2019, PIR announced that ISOC, its parent organization, had reached an agreement with Ethos Capital, under which Ethos Capital would acquire PIR and all of its assets from ISOC. Under the agreement, PIR would also be converted from a Pennsylvania not-for-profit corporation to a for-profit Pennsylvania limited liability company. ISOC created and agreed to the transaction details that are under review.

On 14 November 2019, PIR formally submitted to ICANN a "Notice of Indirect Change of Control and Entity Conversion" in advance of closing the proposed transaction between Ethos Capital and ISOC. Since 2003, PIR has operated the .ORG generic top-level domain (gTLD) as a not-for-profit organization, as well as six other gTLDs. Per the gTLD Registry Agreements, ICANN must either approve or withhold consent of a proposed change of control, the deadline for which is 4 May 2020.

ICANN's role has been to evaluate the reasonableness of PIR's request for indirect change of control and entity conversion. In doing so, ICANN evaluated an extensive amount and variety of information related to the proposed transaction, including details of the transaction structure, financing, and other funding sources of Ethos Capital, the parties involved, the role of the Pennsylvania authorities, information related to financial resources and operational and technical capability, how the new for-profit PIR under the control of Ethos Capital would be responsive to the needs of the non-commercial community, what input the .ORG community had provided to PIR or ISOC on the proposed transaction, and how that community input would be reflected in the operations of PIR following its conversion.

Throughout this process, the ICANN Board has worked thoughtfully and thoroughly to determine if it is reasonable under PIR's Registry Agreements for ICANN to either approve or withhold consent to the proposed change of control. Before making our determination, the Board, among other things:

  • Conducted thorough due diligence
  • Received and reviewed hundreds of pages of documentation and responses provided by PIR, ISOC and Ethos Capital following ICANN issuing three requests for more information
  • Was briefed extensively by ICANN org
  • Received and considered more than 30 letters from stakeholders
  • Considered input from an ICANN67 public forum, views of the community and others who weighed in after we received PIR's Public Interest Commitments
  • Considered the opinions expressed in the California Attorney General's Office letter sent to ICANN on 15 April 2020

The Board was presented with a unique and complex situation – impacting one of the largest registries with more than 10.5 million domain names registered. After completing its evaluation, the ICANN Board finds that the public interest is better served in withholding consent as a result of various factors that create unacceptable uncertainty over the future of the third largest gTLD registry. Factors that were considered in determining reasonableness include, but are not limited to:

  • A change from the fundamental public interest nature of PIR to an entity that is bound to serve the interests of its corporate stakeholders, and which has no meaningful plan to protect or serve the .ORG community.
  • ICANN is being asked to agree to contract with a wholly different form of entity; instead of maintaining its contract with the mission-based, not-for-profit that has responsibly operated the .ORG registry for nearly 20 years, with the protections for its own community embedded in its mission and status as a not-for-profit entity.
  • The US$360 million debt instrument forces PIR to service that debt and provide returns to its shareholders, which raises further question about how the .ORG registrants will be protected or will benefit from this conversion. This is a fundamental change in financial position from a not-for-profit entity.
  • There are additional uncertainties, such as an untested Stewardship Council that might not be properly independent, or why PIR needs to change its corporate form to pursue new business initiatives.
  • The transaction as proposed relies on ICANN as a backstop for enforcement of disputes between the .ORG community and the registry operator in an untested manner.

The entire Board stands by this decision. After thorough due diligence and robust discussion, we concluded that this is the right decision to take. While recognizing the disappointment for some, we call upon all involved to find a healthy way forward, with a keen eye to provide the best possible support to the .ORG community.

The Board would like to thank the global community and stakeholders for their engagement.

The resolution and rationale document, which expands upon this decision is available, here.



from Hacker News https://ift.tt/2KLxOij

Millions of emails leaking from sites to advertising and analytics companies


Numerous Enterprise Organizations Leaking User Emails Through 3rd Party Javascript Request Headers Sent via Browsers to 3rd Party Advertising & Analytics Companies

Each of these orgs leaked user emails by unsafely appending the user email to a URL in plain text (or encoded in base64) and then having the user emails leak to 3rd party advertising and analytics companies.

When any 3rd party Javascript code loads on a website, metadata from the user and the website can be transmitted to the 3rd party domain / company that controls that code — this is technically through the “Request Headers” sent through a browser — and this data can include what page a user is visiting, what type of device and browser they are using, their location, and other forms of fingerprinting / cookies / URL querystring/ URL parameters that are used by advertising and analytics companies.

This type of email user data in a URL bar synced into Javascript pixels is most typically blocked by a regular person through “Ad blockers” or through browsers like Safari, Brave, and Firefox — those browsers use Javascript/cookie blocking as a default features to protect users (each browser handles it slightly differently). This breach and research included here would impact all Chrome users of these websites who went through these specific user flows and who didn’t proactively block all Javascript (a rarely used option) or use a Chrome “Ad blocker” extension that blocked this type of Javascript. Some people using the other “safe” browsers (Safari/Brave/Firefox) could have been protected from the leak due to their 3rd party Javascript requests being blocked.

Most of the data breaches that were found (some are still live breaches as of publishing) are caused by a sloppy and dangerous growth hack that is used to improve attribution tracking for analytics tools and used to optimize and segment retargeting advertising campaigns.

Several of the breaches involve “plain text” user emails — this is when you can literally read the email in the URL with minimal changes/encodings.

Some of the breaches involve a form of plain text known as “base64 encoding” — in short, base64 is a programming language feature that is NOT a form of encryption and provides no user protections. A base64 string can be decoded through many tools, and there is even a free service from the s̶p̶i̶e̶s̶ nice folks at GCHQ called CyberChef for parsing custom base64 encodings.

Before I get into the details about how this breach happens, and the specific circumstances surrounding the examples, I want to briefly acknowledge and give credit to the team at Wish.com for how quickly they changed their entire email architecture after being informed of their breach — in less than 72 hours Wish had completely rebuilt their email architecture and they had built a completely new auto-login flow via email.

I believe the Wish.com breach was the largest out of all the examples in this research, and it lasted over a year and likely involved hundreds of millions of user emails in a base64 plain-text format being shared with analytics and advertising companies, but their work to quickly escalate the problem, realize the scope, and then pull the trigger to rebuild their systems was a dramatically better response than how other organizations handled these reports. I believe Wish and all organizations in this research should be requesting deletion of user emails from any 3rd party logs held by external advertising and analytics companies, but it appears no organization has submitted this request to their partners, even after being notified of their breaches.

For the most part, most of these user email data breaches are still live as of publishing this research — and in this research I’ll show you how to “breach yourself” by just using current website signup flows and other normal website features on the specific websites in question.

I also want to thank Eliya Stein at Confiant.com for being a sounding board on these technical issues, and helping to provide an additional vet and other important context around the Wish.com breach (those details below).



from Hacker News https://ift.tt/2W8WVAV

Grab Asks Staff to Take No-Pay Leave to Cut Costs

A pedestrian walks past signage for Grab in Singapore.

A pedestrian walks past signage for Grab in Singapore.

Photographer: Paul Miller/Bloomberg

Photographer: Paul Miller/Bloomberg

Ride hailing and food delivery provider Grab Holdings Inc. has begun asking its staff to go on voluntary no-pay leave or take reduced working hours to help it avoid cutting jobs, the latest sign of troubles at Southeast Asia’s most valuable startup.

The Singapore-based company, which is backed by SoftBank Group Corp., said it has given its staff across the region an option to take flexible working options, including sabbaticals, where there is excess capacity. Grab, last valued at $14 billion, has 6,000 employees.

“We are taking active steps to conserve cash and manage our employee base, before we consider layoffs,” the company said in response to queries from Bloomberg News. “There is a lot of uncertainty as to the depth and duration of the pandemic and we don’t know how long the economic recession will last.”

Grab Chief Executive Officer Anthony Tan warned last week that the coronavirus is creating significant challenges that will require “tough decisions” about cutting costs and managing capital.

Read more: Grab CEO Says Virus Is ‘Biggest Crisis’ in Company’s History

On-demand service companies have been hit hard in the economic slowdown caused by the pandemic. Responding to plunging demand for rides, Lyft Inc. said this week it will eliminate the jobs of almost 1,000 employees across the company, or about 17% of its workforce.



from Hacker News https://ift.tt/3cTRht8

How to extract uranium from seawater for nuclear power

Stanford Engineering logo

475 Via Ortega, Stanford, CA 94305



from Hacker News https://ift.tt/2WhOoLN

The sweary, ranty YouTuber who's become an isolation cooking sensation


Looking every inch the metal drummer he is, Nat (no surname) is an unlikely Vera Lynn for our times. And yet, the Sydney comedian’s no-nonsense cookery segments are bringing comfort to the masses.

“What’s going on, Iso-Lords?” he says, introducing his latest clip, The Crowd Goes Mild Curry. “We’re back in the kitchen, saying no to jar sauce.”

Behind a sparkling-clean counter laden with fresh vegetables, spices and herbs stands Nat: black band T-shirt, hair halfway down his torso, arms and neck covered in tattoos. He walks us through the ingredients before getting stuck into the methodology.

“If you’ve got one of these cheeky bastards, use this. It’s called a microplane. I know it sounds like a small aircraft, but it’s just a pretentious name for a fine grater. If you don’t have one of these pratty things you can just use a normal grater, and if you don’t think you’ve got one of these, you’re wrong. You’ve got four of them and they’re buried behind the other three.”

The Nat’s What I Reckon YouTube channel has been in operation for 10 years, with 85,000 subscribers to Nat’s ocker brand of social commentary, rife with wordplay and colourful metaphors. Now he’s taken off to an even wider audience with recipes that wage war on processed food, like his End of Days Bolognese. Each video has clocked up around 5m views so far, and won him fans in the Foo Fighters’ Dave Grohl, DJ Carl Cox and the actor Yael Stone.

Sitting in a cluttered Sydney office on a Skype call with Guardian Australia, Nat apologies for being ineloquent. He doesn’t mean the fact that his dialogue is always peppered with swearing and mumbling, but the fact he’s trying to be helpful while struggling with fatigue. He works full-time on the clips with his girlfriend – he edits and answers messages, she films and designs – and says he’s not sleeping much from fielding business inquiries.

“It’s just a fucking tidal wave at the moment,” he says, looking dazed. “It’s hard to remember anything.”

Nat got the idea to diversify into cooking segments after the lockdown cancellation of what would have been his first live comedy tour (“heartbreaking”), but his own health kick was also an impetus. In earlier material, he’d wander around trade shows and art happenings with a mic, a perplexed attitude and what looked like a well-tended beer gut.

“I’ve lost about 24 kilos,” he says. “I had one of my lungs removed a while ago and put on a bit of weight because I was pretty sick. Going to the gym wasn’t doing anything and the gut wasn’t helping my breathing, so I started looking into what food I was eating.”

What better time to turn that knowledge into a public service than during the panic-buying of jar sauce and packet soup? “There’s a fresh food section in the supermarket that hasn’t been touched and yet empty shelves of pasta sauce,” he says. “You’re fucking stuck at home – what are you doing? Eat better.”

Other Australian YouTube-reared comedians have covered the coronavirus pandemic in styles verging from satirical to political, such as Sooshi Mango, Alex Williamson and Jordan Shanks, but there’s something weirdly comforting – benevolent, even – about Nat’s grouchy big-brother style. Maybe it’s his “settle down” tone (even if he’s actually arguing about the fact we shouldn’t be putting zucchini in spag bol), or the fact he avoids shaming people, other than the odd “make sure you wash your fucking hands, you grubs”.

“Sometimes parents remake my videos with their kids and send them to me,” he says. “It’s pretty unreal that kids are digging it. I’m not going to judge your parenting.”

Damo is a Sydney-based chef (and a friend of mine) who watches Nat’s videos with his 11-year-old and nine-year-old, who’ve started spinning and whistling, Nat-style.

“He hit a chord with us because he feels familiar and we think we’d enjoy hanging out with him,” says Damo. He’s not surprised to hear that Nat’s dad was a chef who taught his son to cook. “He knows what he’s doing in the kitchen – I assumed that he was trained because he knows how to use a knife.

“One other thing that made me admire him is that during one video he said something like, ‘Just have a go, you’re more talented than you realise.’ I thought, this guy’s genuine, that’s a really nice thing to prop people up with. Then I found his videos on depression and anxiety, and I gained shitloads of respect for him.”

Damo’s talking about one of Nat’s segments called Is It Sh*t?, in which he once reviewed his own anxiety, and the comedian was also an ambassador for The Big Anxiety festival from the University of New South Wales in 2019. His current bio describes his work as “holding up a mirror to masculine culture”, though I can’t help wondering if he’s retrofitted that, since he surely started out just recording whatever made his mates laugh.

“I’ve always made fun of that narrow-minded boofhead thing,” Nat says, not taking offence. “The trade-show reviews I did were all about sticking it to boys’ clubs. Boats, burnouts, that kind of shit.”

That’s true; as well as his review of “massive money hoon” the Sydney Boat Show, which was the turning point for his popularity, he’s affectionately lampooned revhead events such as Canberra’s Summernats. Not using his surname saves him some grief from the dedicated car crowd.

So far, Nat’s What I Reckon has mostly been monetised through a merchandising line. The comedian avoids the sponsorship deals that are rife among social media figures, “given that the whole point is it’s me and what I reckon”. Still, it’s likely that international touring, once restrictions lift, will fill the coffers – though Nat can’t figure out how his hefty American fanbase can even understand him.

For now, his Australian tour has been rescheduled for September, and it’s nearly all sold out. Broader than standup, which he’s done for a couple of years, it will draw on multimedia and interactive crowd skits, and he’s turned his anxiety into a game show. All that’s missing is a set from one of his bands, Penalties or Keggerdeth.

“[Until then] I’m going to keep doing what I’m doing, smashing out videos, because it seems to be working,” he says. “The plan is to keep my hands on the wheel and hang on for dear life.”



from Hacker News https://ift.tt/3f0HH9B

California, Los Angeles see jump in new cases, Bay Area continues down


As California Gov. Gavin Newsom faces pushback for his expected order to close some beaches this weekend, the state saw a dramatic increase in the number of new COVID-19 cases, reaching the highest number of new cases recorded in a single day since the pandemic began.

Throughout the state, there were 2,380 new coronavirus cases Wednesday, bringing the total number of cases in California to 48,770, according to data compiled by this news organization. The new cases Wednesday represent a 91% increase from the day before and a 3% increase from April 20, when the state had 2,312 news cases, previously the highest recorded number of new cases in a single day.

Los Angeles County accounted for 63% of the new cases, reporting 1,509 on Wednesday, according to this news organization’s data. That’s also the highest number of new cases ever recorded in a single day in that county. The day before, Los Angeles had 559 new cases, and, like the rest of California, had been on a downward pace in recording new daily cases since April 20, when it recorded a then-high of 1475 new cases.

Other Southern California counties saw big jumps in new cases Wednesday. They include Riverside, which, with 3,942 total COVID-19 cases, has the second highest number of cases in the state. Riverside reported 207 new cases, a 125% increase from the day before. The others were Orange and San Bernardino counties, which each had 101 new cases, increases of 83% and 304%, respectively.

The number of deaths in the state also continued to climb to a total of 1,943. There were only 78 new deaths reported Wednesday. That’s a 33% drop from April 22, when the state reported 188 deaths, the highest number in a single day.

The state Department of Public Health also reported that the number of COVID-19 tests reported statewide had reached 603,139 on Monday, a 4% increase from the day before.

Prior to Wednesday, the number of new daily cases had begun to slow in California, offering an encouraging sign that the state was on track to meet one of Newsom’s requirements for moving it out of its current stay-at-home ordering and allowing schools, business and workplaces to gradually reopen.

The Bay Area, in contrast to Los Angeles and the rest of this state, continued to see the pace slow in the number of new cases Wednesday, according to this news organization’s data. It reported 149 new cases, which brought its total number of cases to 8,101. The new cases Wednesday represent a 9% drop from the day before.

The number of new COVID-19-related deaths reported daily also continued to slow in the Bay Area. There were seven deaths on Wednesday, bringing the region’s total to 283. But Wednesday’s reported deaths represents a 66% decrease from the 21 deaths recorded on April 22.

In fact, Santa Clara County, once the region’s epicenter of its COVID-19 crisis, recorded its lowest number of new cases in a single day — just 12 — since the pandemic began.

On Wednesday, public health officials in six Bay Area County counties announced that shelter in place would continue through May 31. But the officials — in Santa Clara, San Mateo, San Francisco, Alameda and Contra Costa counties — also began the process of moving the region towards normalization by loosening restrictions on some outdoor activities and businesses such as construction and golf, as well as some forms of childcare.

On Tuesday, Newsom talked about how schools could possibly reopen in July, as his office laid out a four-stage plan for letting lower-risk businesses and workplaces resume operations in the next few weeks — as long as social distancing continued to push down the number of new cases.

But Newsom expressed dismay at images of people thronging to beaches in Southern California last weekend despite the social distancing order. Some 80,000 people flocked to Newport Beach in Orange County, south of Los Angeles, with additional thousands gathering at open beaches in Ventura County, north of Los Angeles, the Associated Press reported.

On Wednesday, Newsom sent a memo to police chiefs around the state, ordering them to close all beaches up and down the California coastline, Eric Nuñez, president of the California Police Chiefs Association, told the Associated Press. But on Thursday he said the order would only apply to beaches in Orange County.

Most Bay Area counties have already closed beaches, with the exception of Santa Cruz County, which had allowed people wide use of beaches for exercise and as long they followed recommended social distancing practices.

But Santa Cruz County officials revisited their regulations this week after people, including visitors from out of the county, crowded its coastal spots and created traffic hazards along Highway 1. On Wednesday, officials announced they would be closed from 11 a.m. to 5 p.m. except for water-based activities such as surfing or swimming, and otherwise only open for activities like walking or running.



from Hacker News https://ift.tt/2KOaXCA

Safety breaches are probable cause of recent SARS outbreak, WHO says (2004)


The World Health Organization has confirmed that breaches of safety procedures on at least two occasions at one of Beijing's top virology laboratories were the probable cause of the outbreak of severe acute respiratory syndrome (SARS) there last month, which infected nine people, one of whom died.

However, initial fears that the outbreak would spread as a result of the surge in travel during the “golden week” holiday at the beginning of May seem to have been unfounded.

“Obviously golden week was a big concern, as millions of people were on the move,” said Dr Julie Hall, WHO's coordinator in China of communicable disease surveillance and response. “But once the alarm was raised about the cases, over 1000 of their close contacts were isolated very quickly, temperature monitoring was introduced in key locations, information was released to the public, and the authorities attempted extensive contact tracing. These measures appear to have ensured that people were able to travel.”

How the outbreak happened and why the index patient was allowed to travel between Beijing and her home province of Anhui, to the west of Shanghai, while sick are still cause for concern, she added. WHO has been assisting the Chinese Ministry of Health in identifying the source of the outbreak and assessing how well it was controlled and how it differed from previous outbreaks.

Dr Hall said, “Clearly there was a link to the Institute of Virology, and our investigations are still ongoing, but we haven't found a single incident that links the two cases of laboratory workers at the institute, so it appears to be two separate breaches of bio-safety, and we can't find any single incident or accident that explains either case. It has raised real concerns about bio-safety in general, how bio-safety guidelines are implemented, and how that is supervised and monitored.”

This is the third outbreak of SARS to have been traced to a laboratory: small outbreaks occurred in Taiwan and Singapore last year. “The WHO may call for a containment policy for SARS to reduce the number of samples of the virus and the number of laboratories handling it,” said Dr Hall.

Although the authorities reacted swiftly once the alarm was raised, there was a delay of almost a month from the date of first infection to when the index case of infection was announced. By that time all the other cases of infection had already occurred.

The index patient received medical care in both Beijing and Anhui but was still allowed to travel while sick, despite her high risk occupation and the fact that her mother also had a fever. The mother subsequently died.

“This case has lessons for us all, in terms of how healthcare workers take patient histories and ask about infection among other family members,” said Dr Hall. “We are lucky that she travelled on a train and not on an international flight. Had she landed in another country I am not sure her occupation and the fact that her mother was also sick would have been noted or rung any alarm bells.

“We don't know when the next global pandemic will happen, and this incident with SARS in China has raised the issue of how we look at the potential threat of respiratory disease.”



from Hacker News https://ift.tt/2VPex5Q

Charles-Henri Sanson, Royal Executioner (2018)

There’s nothing that epitomises the attitudes of pre-Revolutionary France quite like the job of executioner. The men in this job served the royal will, dealing out death and torture as decreed by the upper classes. Officially they were esteemed for this role. Unofficially they were despised for it. The aristocrats saw them as tools to be deployed against the lower classes to keep them in line, but they also saw them as members of those lower orders. And so, when the Revolution came, an executioner like Charles-Henri Sanson would prove to be a double-edged tool.

The execution of Madame Tiquet by Charles Sanson - headstuff.org
The execution of Madame Tiquet by Charles Sanson.

Like the Pierrepoints, the Sansons made executions a family trade. This wasn’t really a coincidence. It was difficult to get men to join the ranks of les Bourreaux, and so the law said that if an executioner could not find an apprentice then his son or son-in-law would have to take their place. The first of them to take up the trade was an impoverished nobleman named Charles Sanson de Longval. He married the daughter of an executioner, either for love (family legend said that she was his nurse after an injury) or for her father’s fortune. He must have had a reason, at any rate, as the stigma for marrying into her family was exceptional, as was the price. Since her father had no son then the law obligated Charles to become his father-in-law’s apprentice. Reportedly he fainted at the first execution he assisted in, but he soon toughened to the trade. The most notorious execution he carried out was that of Angélique-Nicole Carlier Tiquet, a noblewoman who was convicted of hiring men to kill her husband. That husband, who had survived the attempt, was one of those begging for mercy for her from the king. There was little proof of her being behind the attack, and besides it had not succeeded. But an attack like that was an attack on the fabric of patriarchal society, and no mercy was forthcoming. Her alleged accomplice was a commoner, and so he was hanged. Angélique-Nicole was a noble, and so she had the “privilege” of being beheaded. It took three strikes of the executioner’s sword from Charles Sanson to sever her head from her body.

The daughter who Charles married died giving birth to their son, also named Charles. This Charles grew up to take on his father’s job, and married a formidable woman named Anne-Marthe. Charles junior died in 1726, leaving behind a seven year old son named Charles-Jean-Baptiste and a five year old son named Nicolas-Charles-Gabriel. Officially Charles-Jean-Baptiste was now the state executioner for Paris, a lucrative position and one that Anne-Marthe Sanson had no intention of giving up. So the young boy grew up on the scaffold, standing by to give legitimacy while his “assistants” carried out the execution. Eventually both Charles-Jean-Baptiste and Nicolas-Charles-Gabriel would grow up to wield the blade themselves. Charles-Jean-Baptiste had seven sons, all of whom eventually became executioners. The eldest, born in 1739, was Charles-Henri Sanson.



Charles-Henri learned at an early age that his family trade was one held in contempt by the world at large. By common arrangement it was never discussed by them at home, and the Sansons only ever spoke of “the work”. In order to safeguard him from the disgrace of “the work”, young Charles-Henri was enrolled anonymously at a fairly prestigious school run by the Sisters of Providence of Rouen. There he studied medicine, hoping to be able to escape his family trade. Unfortunately at the age of 14 his father was recognised by the father of another student, and the class-conscious parents immediately raised enough of a scandal that Charles-Henri was forced to drop out. He completed his education with a private tutor. While he was doing so his father suffered a stroke that left him unable to carry out his duties and he had to retire. When Charles-Henri turned sixteen he was told by his grandmother Anne-Marthe that he would take up his father’s job. His own desire to save lives rather than take them was brushed aside.

Robert-Francois Damiens - headstuff.org
Robert-Francois Damiens, a contemporary drawing.

Initially, like his father, Charles-Henri had to leave the actual executions to “assistants”. In 1757 he himself played assistant to one of the goriest executions of the 18th century, on a man who tried to do what Charles-Henri would become infamous for – regicide. Robert-François Damiens was an unemployed ex-servant who seems to have been suffering from some form of mental illness. He blamed Louis XV for Jansenism (a sect of Catholicism) having been ruled heretical, and so when the King was boarding his carriage he ran past his bodyguards and stabbed him with a pen-knife. It was only a minor wound, but it terrified the “Sun King” who was convinced that he was about to die. That terror may have been why he decided to visit on the hapless would-be assassin a fate of the sort that had not been visited on any Frenchman in over a century.

On the morning of the 28th March 1757 Robert-François Damiens was taken to a scaffold in the center of Paris. There a massive crowd (which included the infamous Casanova) were witness to him being subjected to literally medieval tortures. The official executioner was Charles-Henri’s uncle, Nicolas-Charles-Gabriel Sanson. Charles-Henri and several others assisted. From the outside it was terrifying, but from the inside it was almost farcical. France’s last regicide had been in 1610, and the executioners had no real experience with how to carry out the punishments that had been decreed. First his flesh was “torn with pincers”, which had to be specially crafted for the occasion and which turned out not to be able to get the grip they quite needed. Then he was “burned on the hand which held the weapon”, but the sulphur simply scorched him. That’s not to say that it wasn’t also painful, however, and Damiens’ screams echoed around the plaza. The worst was in the final punishment, which was for him to have his limbs torn off by horses. However the horses proved not to be strong enough, and after an hour of attempts two more horses were added. Still they were not strong enough. The executioners had not known that they needed to sever his tendons before the punishment. Eventually after one of the horses collapsed, Nicolas-Charles-Gabriel and one of the other assistants were forced to use knives to cut Damiens up. The remains were then burned.

High Executioner - headstuff.org
Someone (not Charles-Henri) in the red garb of the High Executioner, painted by Leopold Massard.

Nicolas-Charles-Gabriel retired after the Damiens execution, it apparently being one step too far for him. Charles-Henri, on the other hand, seems to have had the opposite reaction. Far from putting him off his trade, the gruesome event inured him to it. No other job could be so bad after it. That wasn’t to say it was smooth sailing. One notable incident came in 1766 when an old friend of his father’s was the subject of “the work”. Thomas Arthur, the comte de Lally, was a French nobleman descended from a Jacobite exile who had stayed in France when Charles II returned home. One night in 1731 the young count had been wandering through Paris when he passed a party at the Sanson household. He and his friends had joined in, and Thomas had been fascinated to find out whose house it was. He had asked Charles-Jean-Baptiste to show him his tools, and had made him promise that if Thomas was ever on the scaffold he would receive a quick death. Thirty-five years later that grim jest became reality. Thomas became governor-general of French India, and was in charge when the British drove the French out. He was captured, and while a prisoner in London found out that his enemies in France were calling for him to be tried for treason. He returned on parole to defend himself, but was found guilty in a trial heavily weighted against him. Charles-Jean-Baptiste came out of retirement to supervise the execution, as a gesture of respect. The legend is that with his father’s eyes on him Charles-Henri’s nerves got the best of him and he fumbled the stroke of his sword. Charles-Jean-Baptise leapt up and grabbed it, finishing Thomas off with a single blow.

Thomas Arthur and Madame Tiquet were both high-born, which is why they rated decapitation as their method of execution. Most other criminals were hanged, though those whose crimes were considered more heinous rated more elaborate forms of death. Heretics were burned, counterfeiters were boiled alive and murderers faced being “broken on the wheel”. They were lashed to a circular wheel and had their limbs broken with an iron bar before being finished off. As the more compassionate ideals of the Enlightenment began to emerge, all of these methods of death began to seem cruel and unusual. Some considered the death penalty itself unnecessary, but they were few and far between. But the argument for a more efficient method of execution soon found an unlikely champion in the form of the State Executioner, Charles-Henri Sanson.

Doctor Joseph-Ignace Guillotin - headstuff.org
Doctor Joseph-Ignace Guillotin.

Leading the charge was Joseph-Ignace Guillotin, a doctor who had been elected as one of the deputies for Paris to the General Assembly in 1789. Guillotin was actually against the death penalty on principal, but thought that the first step would be to make the process as painless as possible. He proposed a motion that all death sentences should be decapitations carried out by mechanical means. The motion was passed. The decapitation machine was originally called a “louisette”, after its designer Antoine Louis. However (to his later regret) Guillotin made a joke in a follow-up speech about how “with my machine, I cut off your head in the twinkling of an eye, and you never feel it!” The joke became the basis for a popular song, and the machine became eternally associated with him. His family later even changed their name, to disassociate themselves from this new development – the guillotine.

Charles-Henri Sanson was a huge advocate of the guillotine, though his motives may have been slightly selfish. Not only would it make his job a lot easier, but it would also mean that he would no longer need to maintain a vast array of execution tools. He took on the job of testing the prototype, starting with straw bales. These were followed by living sheep and then human corpses. The machine was declared a success and the first official guillotine was created by Tobias Schmidt, a maker of musical instruments who was one of Charles-Henri’s closest friends. The machine first saw use in April of 1792 to execute a man who had murdered someone in the course of a mugging. It was ready just in time. Charles-Henri Sanson was about to get a lot busier.

Charles-Henri Sanson - headstuff.org
Charles-Henri in the dress of the French Republic. An illustration for a novel by Balzac, drawn by Eugène Lampsonius.

At first glance, you might have expected the French Revolution to have been bad news for Charles-Henri. Here was a man who dealt out death on behalf of the upper classes, after all. He was well-paid; enough that his fancy green coats actually set a fashion at court. And he was descended from a noble family. But the Revolution was not the sudden violent upheaval that popular imagination portrays. It began with social reform, and it was middle-class artisans like the Sansons who were at the heart of it. As it progressed, Charles-Henri progressed with it. Under the Ancien Regime he was a pariah and an outcast, but in the new order he was “Citizen Sanson”, a valued state official. The arrival of the guillotine transformed him from a butcher into an engineer, making his trade a lot more respectable. But this new prestige came at a price. Charles-Henri was a servant of the state, and the new state expected him to obey. So when it sentenced King Louis XVI to death, it was Charles-Henri who was to carry out the sentence.

It was no light thing to execute a king. When King Charles of England was executed, his executioner’s identity was a closely held secret. And in validation of that secrecy, after the Restoration every member of Parliament who had voted for his execution was tracked down and themselves executed in far more tortuous fashion. Charles’ executioner had been either Irish or Scottish, too. [1] But the principles of the Republic meant that it was important to them that Louis be executed by a Frenchman and in full compliance with the law. Charles-Henri didn’t really want to do it. He knew it would potentially put his family in danger as a result. But he felt he had no choice, and he was probably right.

Execution of Louis XVI - headstuff.org
Execution of Louis XVI, by Georg Heinrich Sieveking.

The execution took place in January of 1793. It was a gloomy damp morning, and reportedly the King was silent except for some prayers on his two-hour coach ride to the scaffold. Once he arrived there was some confusion, which led to a rumour that the king had tried to fight his way free. This wasn’t true though, and apparently was due to the king’s protests when he found out that his hands were to be bound with a length of rope. His confessor persuaded him (by pointing out that Jesus had also been bound), and Charles-Henri replaced the plebian rope with a silk handkerchief. He was also reluctant to let Charles-Henri cut his hair, but relented. The king addressed the crowd, declaring his innocence of his crimes and his hope that no harm would come of his death. He would have spoken more, but a drum roll (arranged in advance) cut him off. So he took his position in the machine, and the blade came down. Some accounts have it that the blade did not severe his head cleanly and that Charles-Henri had to put his weight on the blade to get it through, though the executioner himself naturally denied it. With that done, he held the king’s head up for the crowd, who surged forward to dip their handkerchiefs in the blood that fell from it.

That same blood now bound Charles-Henri Sanson to the Revolution, which had much more need of his services as the frenzy of execution known as “the Reign of Terror” went into full swing. In the first half of 1793 the Committee of Public Safety took power, and over the course of the year the number of those sent to the guillotine grew larger and larger. The victims were not just nobles left over from the Revolution, now they included the political opponents of Robespierre and his cronies. One of those cronies was George Danton, but he and his supporters fell from grace and they too were fed into the ravenous maw of Madame Guillotine. Twenty thousand people died in this period, most of them out in the cities like Lyon and Nantes that tried to rebel against this madness. It only ended when it claimed the life of the man who had masterminded it. In July 1794 Maximilian Robespierre, the leader of the Committee of Public Safety, became the victim of a coup. His jaw was broken during his arrest, and when Charles-Henri removed the bandage from it before putting him into the guillotine he let out a blood-curling scream of pain; pain that was almost immediately cut short.

Christopher Lee - headstuff.org
Christopher Lee playing Sanson in “La Revolutione Francaise”. Source

The end of Robespierre led to the end of the Terror, as the new government sought to disassociate themselves from the excesses of the previous regime. The death penalty remained, however, and “th work” continued. Charles-Henri Sanson retired in 1795, handing over his position to his younger son Henri. Both of Charles-Henri’s sons had followed into his trade but the eldest and original heir, Gabriel, had died in a workplace accident several years earlier. While holding a head up to display it to the eager crowd he had slipped on the pooled blood and fallen from the scaffold. Like his father, Henri had shed blood for the Revolution, as he had been the one who executed Queen Marie-Antoinette. Charles-Henri was in attendance and the story is that Marie-Antoinette accidentally stood on his foot as she went up to the scaffold, to her embarrassment.

In his retirement Charles-Henri retained a macabre celebrity. One famous story is that he was visited by Emperor Napoleon Bonaparte. Napoleon asked him if the people he had killed as an executioner weighed on his conscience. Charles-Henri joked:

If emperors, kings, and dictators can sleep well, why shouldn’t an executioner?

Napoleon’s response was not recorded. Charles-Henri continued in his retirement until 1806, when his ill-health caught up with him and he died. Henri continued as the High Executioner of Paris until 1839, when he was replaced by his own son Henri-Clement. Henri-Clement was the last Sanson to be an executioner, and the story of how he lost his job is somewhat sordid. He was always a spendthrift, and deep in debt he wound up either selling or pawning his guillotine, which dated back to Charles-Henri’s days. There’s probably no truth to the story that he tried to ride it out by performing his next execution with an axe, but it is true that he was fired for misusing municipal property. The Sanson family fled the scandal by moving to Belgium, where they changed their name to “Samson”, and finally managed to leave the ranks of les Bourreaux. That was the end of the tale of France’s most famous family of executioners.

Images via wikimedia except where stated.

[1] There were three men who were picked as executioner, and only they knew which one wielded the axe. Famously one went to live in Galway afterwards where he used the money to establish a pub, amusingly titled “The King’s Head”.


Featured Image Source



from Hacker News https://ift.tt/2WiOfIm

Here We Go Again: Why Is It Difficult for Developers to Learn Another Prog Lang?


Once a programmer knows one language, they can leverage concepts and knowledge already learned, and easily pick up another programming language. But is that always the case? To understand if programmers have difficulty learning additional programming languages, we conducted an empirical study of Stack Overflow questions across 18 different programming languages. We hypothesized that previous knowledge could potentially interfere with learning a new programming language. From our inspection of 450 Stack Overflow questions, we found 276 instances of interference that occurred due to faulty assumptions originating from knowledge about a different language. To understand why these difficulties occurred, we conducted semi-structured interviews with 16 professional programmers. The interviews revealed that programmers make failed attempts to relate a new programming language with what they already know. Our findings inform design implications for technical authors, toolsmiths, and language designers, such as designing documentation and automated tools that reduce interference, anticipating uncommon language transitions during language design, and welcoming programmers not just into a language, but its entire ecosystem.



from Hacker News https://ift.tt/3aRdyX7

Release (YC W20) Is Hiring a Senior SW Engineer – Cloud Infrastructure (Remote)



from Hacker News https://ift.tt/2KLwqMw

Security Bulletin: Vulnerability in Xerces-C (CVE-2018-1311)

Apr 30, 2020 8:00 pm EDT

Categorized: Critical Severity

Share this post:

Xerces-C is a validating XML parser written in a portable subset of C++. Xerces-C makes it easy to give your application the ability to read and write XML data. A shared library is provided for parsing, generating, manipulating, and validating XML documents. XML parser contains a use-after-free error triggered during the scanning of external DTDs (CVE-2018-1311)

Affected product(s) and affected version(s):

Affected Product(s) Version(s)
HMC V9.1.910.0 V9.1.910.0

Refer to the following reference URLs for remediation and additional vulnerability details:  
Source Bulletin: https://www.ibm.com/support/pages/node/6203765



from IBM Product Security Incident Response Team https://ift.tt/3d4pRRe