Sunday, August 28, 2016

Security - Frequently changing your passwords is bad

     It's been said so many times that it has become an unchallenged mantra -- "periodically change your password".  In fact, a number of websites I visit force me to change my password after a set period of time.

     But, what if that mantra was wrong.

     According to the Federal Trade Commission's chief technologist, Lorrie Cranor,
users who are required to change their passwords frequently select weaker passwords to begin with, and then change them in predictable ways that attackers can guess easily. Unless there is reason to believe a password has been compromised or shared, requiring regular password changes may actually do more harm than good in some cases. (And even if a password has been compromised, changing the password may be ineffective, especially if other steps aren’t taken to correct security problems.)
See link.  Personally, I hate being forced to change my passwords because I can never remember them.  Hopefully, this advice along with a more careful security management policies will lead websites to change their mandatory password changing policies.

- Henry Park

Tuesday, August 23, 2016

Copyright - Thankfully in the Ninth Circuit

     I'm sure that Demi Lovato isn't pleased to be on the receiving side of a copyright infringement lawsuit claiming that her 2015 song "Stars" infringes the independent rock group Sleigh Bells' 2010 song "Infinity Guitars".  See link, link (with copy of the Complaint).

     But it wasn't like Sleigh Bells ambushed her.  Last year, the band tweeted "Demi Lovato flattered you guys sampled Infinity Guitars & Riot Rhythm for 'Stars' but we were not contacted. Gotta clear those."  See link.  In its Complaint, Sleigh Bells describes the material that was copied:
A comparison of the two songs reveals that, at the very least, the combination of the hand claps and bass drum, structured as 3 quarter beats and a rest, with the bass drum providing a counter-rhythm to the hand claps, is at least substantially similar in both works. This infringing material repeats throughout the Defendants’ song.
 See link at ¶ 14.  And, the thrust of Sleigh Bells' copyright infringement claim is:
Defendants did not seek or receive permission from Plaintiffs to copy, take, sample, or interpolate any portion of “Infinity Guitars” when creating “Stars.” Yet, Defendants exploited a material portion of “Infinity Guitars” in constructing “Stars.”
See link at ¶ 22.

     Here is a link to the Sleigh Bells song "Infinity Guitars" and, here is a link to the Demi Lovato song "Stars".

     Because this is a sampling claim, I'm pretty sure that Ms. Lovato is pleased to be that the lawsuit was brought in the Ninth Circuit instead of the Sixth Circuit.  In the Sixth Circuit, sampling is effectively per se unlawful.  "Get a license or do not sample".  Bridgeport Music, Inc. v. Dimension Films, 410 F.3d 792, 801 (6th Cir. 2005).  There is no de minimis defense.  See id. at 801-02. In the Ninth Circuit, as of earlier this year, there is a recognized de minimis defense.  See VMG Salsoul, LLC v. Madonna Louise Ciccone, et al. (9th Cir. 2016, June 2, 2016) (concluding that "a reasonable juror could not conclude that an average audience would recognize the appropriation of the horn hit").

     Whether Ms. Lovato and the other defendants can assert successfully a de minimis defense will have to seen.

- Henry Park

Friday, August 19, 2016

SSA - No more multifactor authentication

     This is an update to my earlier August 2nd post about the Social Security Administration requiring multi-factor authentication to log into your "My Social Security" account.

     That was a short lived requirement.

     Less than two weeks after publicizing this requirement, the SSA just demoted it to an optional feature because of public outcry.  See link.  Hopefully, the SSA will discuss its future authentication plans with its stakeholders before implementing them.

     As I indicated earlier, it will be interesting to see what, when and how SSA will replace this improved authentication requirement.

- Henry Park

Voting - Absentee Ballot

     This is a followup to my earlier January 31st post about registering for absentee voting if you are an expatriate.

     Today, I received my official absentee ballot for the Democratic Primary Election.

- Henry Park

Reciprocity - New Jersey Reciprocity Is Nearly Here

     This is an update to my April 18th post about bar admission reciprocity with New Jersey.

     I just talked to a nice gentleman at the New Jersey Board of Bar Examiners, and he told me that New Jersey currently has reached reciprocity agreements with a number of states but, that the list has not yet been published.  Here is a partial list of the states that will grant reciprocity:  Colorado, Connecticut, Georgia, Idaho, Iowa, Michigan, Minnesota, North Dakota, Oregon, Texas, Virginia and Washington.  He also indicated that the New Jersey Board of Bar Examiners website should be updated on September 1st, when admission by motion becomes permitted, to reflect the full list of states.

- Henry Park

Sunday, August 14, 2016

Travel - Flying with a child may become a little less stressful

     As a parent, flying isn't the most relaxing experience.  You have to buy tickets, pack, get to the airport, pass through security, and board the airplane.

     Fortunately, at least the buying tickets part of the experience may be getting easier.  As part of the Federal Aviation Administration (FAA) reauthorization bill, which was signed by President Obama on July 15, 2016, a provision was added in a nod to the difficulties that families encounter.  See H.R. 636 (114th Congress) at § 2309.

     This provision requires the Secretary of Transportation to examine and, by July 15, 2017, potentially issue a policy directing air carriers to establish a policy requiring a child, under the age of 13, to be seated next to a family member, over the age of 13, to the maximum extent practicable at no additional cost.  See bill at § 2309.  However, the accompanying member seat cannot be a seat that requires an upgrade to another cabin class or seat with extra legroom for which additional payment is normally required.

- Henry Park

Wednesday, August 10, 2016

Security - Who wants a backdoor into Windows 10?

     I just saw an article on ZDNet (link) about Microsoft accidentally leaking the key to Secure Boot.  Secure Boot is supposed "to ensure that each component of the boot process is signed and validated" and it prevents users from booting other operating systems.  Using the key, a malicious person could install onto Windows operating systems computers or devices, other operating systems or a rootkit or bootkit.

    Microsoft in the meantime has already released two patches to try to fix this issue, and a third is expected.

- Henry Park

Sunday, August 7, 2016

Joy - Lessons to an entrepreneur

     I recently watched the movie Joy.  It is an inspirational tale of success.  It also is a cautionary tale to entrepreneurs about making sure you have retained appropriate legal counsel.

     In the movie, Joy receives some poor advice from attorneys which she fortunately overcomes.

1.  Joy relies upon her investor's attorney for a patent search and the analysis of the search results.  According to the attorney, there is a third-party patent for a self-wringing mop that might cover Joy's invention and that Joy should pay a royalty to the third-party.

Unfortuntately for Joy, the investor's attorney wasn't a patent attorney and thus wasn't able to perform a patent infringement or patent invalidity analysis.

 2.   A California patent attorney tells her that because she paid a royalty to the third-party that all of her parts and molds fall under the umbrella of the third-party patent, and that it is impossible to fight it.

First, while paying royalties creates the impression that the Joy's invention may fall under the third-party patent, it does not make it so.  People pay royalties for a variety of reasons including because it is easier to pay a royalty than the fight it out in court.  Second, it is always possible to fight a case (if you have the resources).

   Joy also isn't a patent attorney and during the climax she makes a few statements that while great for a drama are besides the point.

1.   She states that the inventor of the third-party patent is not aware of the value of his patent, and hasn't sold or manufactured a product.  These factors are irrelevant to the issue of whether patent claims cover an accused product.

2.   She states that her mop doesn't bear any similarities to the third-party's mop.  This is the wrong comparison.  You have to compare the patent claims to the accused product.

- Henry Park

Tuesday, August 2, 2016

Authentication - Social Security Administration just took a dead end road to secure accounts

     I recently received an email from the Social Security Administration (SSA) notifying me that they are implementing multifactor authentication.  This is what SSA says it means:


     I'm all up for keeping my personal information secure, and I'm happy that the SSA is implementing a more secure authentication method given the number of reported cybersecurity incidents affecting the Federal government.  I just wish that they had chosen an authentication method that might not be deprecated in the near future.

     The National Institute of Standards and Technology (NIST) is a federal agency within the U.S. Department of Commerce which "is responsible for developing information security standards and guidelines, including minimum requirements for federal information systems". NIST's guidelines are regarded highly and many entities follow NIST's guidance.

     Recently, NIST released a draft of its Special Publication 800-63-3, Digital Authentication Guideline. In this Guideline, NIST states that Out Of Band (OOB) verification "using SMS is deprecated, and may no longer be allowed in future releases of this guidance".  Special Publication 800-63B, Digital Authenication Guidleline, Authentication and Lifecycle Management, section  NIST's position concerning using sending SMS to cell phones is based on the risk that SMS messages could be intercepted or redirected.

     It shall be interesting to see if the final NIST Guideline maintains that OOB verification using SMS is deprecated.  Even more interesting shall be to see how long it takes SSA to replace this method of authentication.

- Henry Park