RSS Atom Add a new post titled:
Carrier IQ press release -- withdrawal of cease and desist

title: Carrier IQ press release -- withdrawal of cease and desist created: !!timestamp '2011-11-23 20:00:00' tags: - retropost - law - communication - mobile - software - freedom - copyright

{% mark excerpt -%}

Carrier IQ issued this press release, dated 2011-11-23, withdrawing its cease and desist demand.

{%- endmark %}


Carrier IQ Press Statement

Mountain View, CA - November 23, 2011 - As, of today, we are withdrawing our cease and desist letter to Mr. Trevor Eckhart. We have reached out to Mr. Eckhart and the Electronic Frontier Foundation (EFF) to apologize. Our action was misguided and we are deeply sorry for any concern or trouble that our letter may have caused Mr. Eckhart. We sincerely appreciate and respect EFF's work on his behalf, and share their commitment to protecting free speech in a rapidly changing technological world.

We would like to take this opportunity to reiterate the functionality of Carrier IQ's software, what it does not do and what it does:

  • Does not record your keystrokes.
  • Does not provide tracking tools.
  • Does not inspect or report on the content of your communications, such as the content of emails and SMSs.
  • Does not provide real-time data reporting to any customer.
  • Finally, we do not sell Carrier IQ data to third parties.

Our software is designed to help mobile network providers diagnose critical issues that lead to problems such as dropped calls and battery drain.

Here's what our software does:

  • Our software makes your phone work better by identifying dropped calls and poor service.
  • Our software identifies problems that impede a phone's battery life.
  • Our software makes customer service quicker, more accurate, and more efficient.
  • Our software helps quickly identify trending problems to help mobile networks prevent them from becoming more widespread.

We look forward to a healthy and robust discussion with EFF that we believe will be helpful to us, to our customers, and to consumers that use mobile devices. We welcome feedback on our products and understand that Mr. Eckhart and other developers like him play an important role by raising questions about the complicated and technical aspects of the mobile ecosystem.

Carrier IQ Inc. 1200 Villa Street, Suite 200, Mountain View, CA 94041

source: Carrier IQ News

EFF response to the Carrier IQ cease and desist demand

title: EFF response to the Carrier IQ cease and desist demand created: !!timestamp '2011-11-21 20:00:00' tags: - retropost - law - communication - mobile - software - freedom - copyright

{% mark excerpt -%}

The Electronic Frontier Foundation sent this letter, dated 2011-11-21, to Carrier IQ Inc on behalf of Trevor Eckhart.

{%- endmark %}

November 21, 2011


Re: Carrier IQ's Cease-and-Desist Demand to Trevor Eckhart

Dear Mr. Dullea:

As you know, the Electronic Frontier Foundation represents Trevor Eckhart, the security researcher who published an analysis of Carrier IQ's software at services/loggers/carrieriq, and posted copies of Carrier IQ training materials at and Prior to Mr. Eckhart's publication, these materials were freely available to the public on a Carrier IQ website,

We have now had a chance to review your allegations against our client, and have concluded that they are entirely baseless. Mr. Eckhart used and made available these materials in order to educate consumers and security researchers about the functionality of your software, which he believes raises substantial privacy concerns. Mr. Eckhart's legitimate and truthful research is sheltered by both the fair use doctrine and the First Amendment.

Copyright Issues

With respect to your allegations of copyright infringement, Mr. Eckhart's analysis and publication of Carrier IQ's training materials is a classic fair use and, therefore, non-infringing. 17 U.S.C. § 107 ("the fair use of a copyrighted work . . . for purposes such as criticism, comment, news reporting . . . or research, is not an infringement of copyright."). Courts generally consider four factors in a fair use analysis: 1) the purpose and character of the use, 2) the nature of the copyrighted work, 3) the amount and substantiality of the portion used, and 4) the effect of the use on the potential market for the work. Id.; Campbell v. Acuff-Rose Music, 510 U.S. 569, 577 (1994). Each of these factors favors Mr. Eckhart.

Purpose and character of the use. Mr. Eckhart's copying of any Carrier IQ materials was intended not to replicate Carrier IQ's original purpose for the documents, but rather to facilitate research and critical commentary about Carrier IQ's software. It is therefore a highly transformative use. See generally Campbell, 510 U.S. at 579 (transformative works "lie at the heart of the fair use doctrine's guarantee of breathing space within the confines of copyright"); Castle Rock Ent. v. Carol Pub. Group, Inc., 150 F.3d 132, 141 (2d Cir. 1998) (a transformative work "is the very type of activity that the fair use doctrine intends to protect for the enrichment of society."); Online Policy Group v. Diebold, Inc., 337 F. Supp. 2d 1195, 1201 (N.D. Cal. 2004) (finding students' publication of voting machine manufacturer's email archive to support public criticism of voting machines a transformative use).

Nature of the copyrighted work. The materials in question are factual rather than creative, and therefore subject to only the thinnest copyright protection. See Harper & Row, Publrs., Inc. v. Nation Enters., 471 U.S. 539, 563 (1985) ("The law generally recognizes a greater need to disseminate factual works than works of fiction or fantasy.").

Amount and substantiality used. Mr. Eckhart has copied no more than necessary for purposes of his research. His analysis of Carrier IQ software was based in significant part on the training materials, which he provided to the public for the purpose of allowing others to independently verify his findings. As the Supreme Court has recognized, fair uses often involve substantial portions of an original work. Campbell, 510 U.S. at 588; see also Mattel, Inc. v. Walking Mountain Prod., 353 F.3d 792, 803 n.8 (9th Cir. 2003) (holding that "entire verbatim reproductions are justifiable where the purpose of the work differs from the original.").

Effect of the use on the potential market for the work. Critical transformative uses rarely -- if ever -- supplant markets for the original material. Campbell, 510 U.S. at 591-92; Harper & Row, 471 U.S. at 567-69. The training materials published by Mr. Eckhart plainly do not invade any licensing market for works that may be copyrighted by Carrier IQ.

More broadly, Mr. Eckhart published his analysis of Carrier IQ and the underlying training materials to educate the public about privacy concerns raised by your software, which is installed by default on many mobile devices, unbeknownst to most consumers. Dissemination of this information unquestionably serves the public interest. Nimmer on Copyright, § 13.05[B][4] ("the public interest is also a factor that continually informs the fair use analysis."); see also Sony v. Universal, 464 U.S. 417, 431-32 (1984) ("courts are more willing to find a secondary use fair when it produces a value that benefits the broader public interest."); Mattel, 353 F.3d at 806 ("the public benefit in allowing . . . social criticism to flourish is great."); Online Policy Group, 337 F. Supp. 2d at 1203 (students' publication of voting machine manufacturer's emails to inform the public about problems in voting machines served the public interest).

"False Allegations" Issues

You also claim that Mr. Eckhart published "false allegations" that are "without substance," "untrue," and that Carrier IQ considers "damaging to [its] reputation and the reputation of [its] customers." We have repeatedly asked you to specify the statements you believe are actionable. You have failed to do so, and have instead merely repeated your broad accusations. We believe you are not able to substantiate your allegations because Mr. Eckhart's factual findings are true. If you are able to specify any statement that you believe is false, Mr. Eckhart will be happy to provide you with the documentation of that finding.

Moreover, your client is a public figure. Under well-established Supreme Court precedent, commentary and criticism regarding Carrier IQ's professional activities receive additional protections under the First Amendment, because there is a heightened public interest in facilitating such speech. See, e.g., New York Times Co. v. Sullivan, 376 U.S. 254, 270 (1964); Hustler Magazine v. Falwell, 485 U.S. 46 (1988). Given that there is no basis for your legal claims, we must conclude that your threats are motivated by a desire to suppress Mr. Eckhart's research conclusions, and to prevent others from verifying those conclusions. Mr. Eckhart stands by his research and, accordingly, declines to meet your demands. We ask that you immediately withdraw your allegations in writing.

Nothing in this letter shall be deemed to waive any of Mr. Eckhart's rights or remedies, all of which are expressly reserved.

If you have any further concerns, please do not hesitate to contact me.



Marcia Hofmann, Esq.
Senior Staff Attorney

source: Carrier IQ Drops Empty Legal Threat, Apologizes to Security Researcher | Electronic Frontier Foundation

cease and desist demand sent to Trevor Eckhart

title: cease and desist demand sent to Trevor Eckhart created: !!timestamp '2011-11-16 20:00:00' tags: - retropost - law - communication - mobile - software - freedom - copyright

{% mark excerpt -%}

Carrier IQ Inc sent this letter, dated 2011-11-16, to Trevor Eckhart.

{%- endmark %}


Sent by Certified Mail and email

November 16, 2011

Trevor Eckhart


Dear Mr. Eckhart:

I am writing on behalf of my employer, Carrier IQ, Inc., to notify you that your unlawful copying of Carrier IQ, Inc.'s training materials on your website1 (the "Training Materials") infringes on Carrier IQ, Inc.'s exclusive copyrights. Accordingly, you are hereby directed to


All copyrightable aspects of the Training Materials are copyrighted under United States copyright law and Carrier IQ, Inc. is the owner of such copyright. Under United States copyright law, Carrier IQ, Inc.'s copyrights have been in effect since the date that the Training Materials were created.

It has come to our attention that you have been copying the Training Materials. We have copies of your unlawful copies to preserve as evidence. Your actions constitute copyright infringement in violation of United States copyright laws. Under 17 U.S.C 504, the consequences of copyright infringement include statutory damages of between $750 and #30,000 per work, at the discretion of the court, and damages of up to $150,000 per work for willful infringement. If you continue to engage in copyright infringement after receiving this letter, your actions will be evidence of "willful infringement."


In addition to infringing Carrier IQ, Inc.'s copyrights, you have made allegations on your website (see footnote 1), that are without substance, untrue, and that we regard as damaging to our reputation and the reputation of our customers. At this time we demand that you remove such allegations from the web and cease and desist from making any allegations or passing any false and unsubstantiated public comment directly or indirectly on our company, products, services or companies who may use our technology.

We demand that you immediately

  • cease and desist your unlawful copying of the Training Materials;
  • contact all persons and entities to whom you have directly or indirectly provided copies of the Training Materials and inform them that such materials are confidential/copyright-protected materials belonging to Carrier IQ, Inc. were provided improperly in infringement of the rights of Carrier IQ, Inc.;
  • provide Carrier IQ, Inc. with contact information for all such persons and entities;
  • cease and desist from making any unsubstantiated allegations or passing any false or unsubstantiated public comment directly or indirectly relating to Carrier IQ, Inc. technology;
  • send written retractions to all persons and entities to whom you have directly or indirectly distributed the unsubstantiated allegations relating to Carrier IQ, Inc. products or services;
  • issue a public press release on the AP wire containing the following statement:
  • remove all content and references to Carrier IQ, Inc. (including references to Carrier IQ and/or CIQ) from the website, any mirrors and references and replace your original "CarrierIQ" article with the following statement:

    "Carrier IQ, Inc. has requested that I remove my original article entitled "CarrierIQ" as it contained numerous inaccuracies and material subject to their copyright. I would also like to apologize to Carrier IQ, Inc. for misrepresenting the capabilities of their products and for distributing copyrighted content without permission.

    "On clarifying the actions of Carrier IQ, Inc. software, it is clear that while they inspect many aspects of device performance they are not in fact recording keystrokes or providing user tracking tools and have no intention of doing so.

    "Carrier IQ, Inc. technology does not allow their customers to task devices which are no longer in their service (for example when a subscriber of one operator moves their phone to another operator) and restricts each customer to its own subscribers.

    "The Carrier IQ, Inc. software is integrated by intent by device manufacturers and operators; it does not meet the definition of a rootkit and does not subvert the operation of the device as I previously claimed. Under my previous definition, any software loaded by an OEM that shipped with a device would meet my criteria for rootkit."

  • provide Carrier IQ, Inc. with prompt written assurance by 12.00pm EST on November 18th that you will comply with the foregoing.

If you do not comply with these cease and desist demands withing this time period, please be advised that Carrier IQ, Inc. will pursue all available legal remedies, including seeking monetary damages, injunctive relief, and an order that you pay court costs and attorney's fees. In addition, Carrier IQ, Inc. is entitled to use your failure to comply as evidence of "willful infringement" of copyright and seek monetary damages and equitable relief for your copyright infringement. In the event you fail to meet this demand, your liability and exposure under such legal action could be considerable.

Before taking these steps, however, Carrier IQ, Inc. wishes to give you one opportunity to discontinue your illegal conduct by complying with this demand by 12.00pm EST on November 18th. Accordingly, please sign and return the attached Agreement by 12.00pm EST on November 18th to

Joseph J. Dullea
c/o Jewel Rich
1200 Villa St., Suite 200
Mountain View, Ca 94041

With an email copy to [redacted], [redacted]

If you or your attorney have any questions, please contact me directly.

Carrier IQ, Inc.
Joseph J. Dullea
General Counsel

1 ;

source: Carrier IQ Drops Empty Legal Threat, Apologizes to Security Researcher | Electronic Frontier Foundation

TWiG 101 show notes, Google Plus


This Week in Google, episode 101: Inside Google+ (googleplus)

Playing twig0101_h264b_864x480_2000.mp4.


time 000130. Googler Bradley Horowitz. vice president of products and Google Plus team.

time 000148. Googler Vic Gundotra.

time 001500. Sparks.

time 002040. Bradley Horowitz. privacy settings on Google Plus.

time 002430. Huddle -- group text messaging.

time 002500. end of the interview. Bradley Horowitz and Vic Gundotra leave.

time 002904. Gina Trapani. On Google Hangout Jeff Jarvis asked Vic Gundotra and Bradley Horowitz to be on twig today. They paused, and then said okay.

time 003000. Jeff Jarvis. You're too polite. You've been in California too long.

time 003010. Jeff Jarvis. Tim Shea, head of Neptune Networks, which was bought by Google, says he hasn't had a phone call with anyone since he's been at Google. All he's done is Hangout.

time 003140. Will Norris and his cat on Hangout.

time 003305. bumping. a problem inherited from Google Buzz.

time 003345. Leo Laporte. Let's keep nit picking. What else is wrong with Google Plus?

time 003351. Jeff Jarvis. The main problem is siloing. How is Plus going to connect to Twitter and Facebook?

time 003410. Leo Laporte. What about a firehose? This question came from Lou of Microsoft in our chat room.

time 003500. Buzz became just another Twitter, because everyone was pumping their Twitter into it.

time 003600. [Jeff Jarvis means it's asymmetric, like Twitter, not "async".] Not symmetric, like Facebook. Can it be like Twitter, with public posts? These things are confusing me.


time 003700. Gina Trapani. Google search: jarvis ~27 results


Google search: chromebook ~52 results

time 003835. Jeff Jarvis is talking to Robert Scoble on Hangout about public and private Google Plus posts.

time 003912. Leo Laporte. Speak to us, Matt Cutts. This is so cool! I'm going to use this from now on on all the shows! 10 of you will get to talk. I'm gonna try to compose myself and be a journalist here. But it's kinda hard not to jump up and down.

time 004012. Doug Kaye on Hangout.

time 004100. trouble with feedback because some people on Hangout are not using headphones, watching twit live with speakers.

time 004130. They're watching twit live because they can hear only Leo Laporte via Hangout.

time 004151. Jeff Jarvis. Leo Laporte, we were talking last week about having a wall of screens where you have twit listeners able to join in and talk. Google just made it for you.

time Gina Trapani.

time 004412. This solves the penis problem. There's enough identity. Anonymous people are still friends of friends.

time 004530. Leo Laporte. You have the penis problem, and then you have the Robert Scoble problem.

time 004650. I will use this on twit like crazy. My mind is reeling with the possibilities here. I wanted to use friendfeed and Buzz, and they just didn't take off, and I ended up back at Twitter, and I've never been fully happy with Twitter. I keep hoping someone will come up with the next thing, and this, in some respects... Is it too soon to say feels a little bit like that?

time 004755. Jeff Jarvis. I think we have to ask why Google's doing this. Om Malik says this is a lot about search. I have been arguing that the war now is over the best signal generation. Google has to learn more about us. Facebook had better have this video feature fast, or something equally cool. Sparks is better than Facebook's "Hey, I got drunk last night!", which is what has been interpreted as "social". So Sparks adds substance to social.

example "Android" search on Sparks on Leo Laporte's screen: "from fragmentation to obsolescence"

time 004945. Jeff Jarvis. Google Plus has circles from day one. Once you had 1000 friends on Facebook, you were never going to organize them. I think we're going to see some interesting competition on features, and it's going to be good for both of them. And Twitter, and Twitter clients, and Foursquare, and so on.

time 005030. Leo Laporte. I can share an article on Sparks at the same time publicly, and with friends, including by email people not using Google Plus. It's a very powerful sharing system. It's a conversation starter. It sparks a conversation.

time 005140. Gina Trapani. Google Plus is for people who want something better than Facebook. See the xkcd about Google Plus.

time 005216. Gina Trapani. Google Wave and Google Plus are trying to solve different problems. Wave is more about collaborating on documents. Plus seems more about connecting people. I'm obsessed with Google Hangout. Google Huddle is available now in the Android app only. It will be in the ios app, and it will integrate with sms, so it will be easy to set up a lunch buddy circle and say "Hey, where do you want to meet today?" Google Plus is trying to tackle a much less geeky problem than Google Wave.

time 005300. on video: Google Huddle on the Android app.

time 005317. Jeff Jarvis. Why isn't it on the web interface?

time 005330. Gina Trapani. I'm getting from ios folks the feeling of being left out, not being able to try Huddle because it's Android only for now.

time 005354. I was really shy about video chat before we started doing Twig, and then when I saw Hangout, I was like, "Yes, exactly! I'm going to be able to do my own Twig, that isn't broadcast." The fact that you can't record a Hangout, unless you're using screen recording software... it let's you talk about people who came in and left. If you come into a Hangout, you don't see what people said before you came in. It's ephemeral, like a cocktail party conversation. I really like that. It's not about broadcasting; it's about just hanging out.

time 005437. Leo Laporte. I just figured out how you can play Werewolf with it too.

time 005500. on video: Google Hangout awake check. Jeff Jarvis. Like a dead man's switch. status 2011-06-21

June 21, 8:40 AM PST

Pinboard is down for most users right now. We're running off of backup but many people report not being able to reach the site at all.

Our main database server is still unreachable and so is our ISP (!). I've moved the service to our backup DB server, but since it's in the same data center I can't guarantee that it won't also be affected by whatever is plaguing our hosting provider.

Your bookmark data is safe, but none of us can get to it right now. I'm provisioning a new server in a different locat ion, but it will take a while to load the backup into it.

Next status update at 12:30 PM PST. Please see our Twitter stream (@Pinboard) for blow-by-blow updates.

-Maciej Ceglowski

Pinboard Status

June 21, 12:38 PM PST

Just received word from our hosting company that they were raided by the FBI who pulled some racks of equipment. No word on whether our server was among those machines, or whether it is just offline. In the meantime the site is running on a backup server with reduced capabilities (see below). All bookmarks are intact.

June 21, 12:26 PM PST

Here's more detail on what's going on:

We have three big servers with one hosting company (DigitalOne). Two of them are online, but our main database server is unreachable. Basically it is cut off from the world because of network problems at our provider.

A bunch of us who host at DigitalOne are trying to track them down right now for a status update, but have not had any luck. Last I heard from them (Monday night PST) they were fixing a router problem.

In the meantime, I'm running the site off of our backup database server. This server is weak, so to keep it from bogging down I have turned off the API, RSS feeds, the popular and recent page, as well as all user tag pages. I will turn these services back on as soon as possible.

Search and global tag pages are also unavailable, since they run on the unreachable machine.

One thing that does work is our export page, and if you're feeling nervous about your data I encourage you to use it. We have fresh backups (from one day ago) safely stored on S3, but in these matters you can't be too careful.

I will update this page with news, but for the latest please follow our Twitter feed.

June 21, 15:41 PM PST

I've turned user+tag pages back on, as well as bookmark imports. Still no further word from our hosting providers. I'm provisioning a new server, but setup will take at least a day to complete. No RSS feeds or API access until then unless it turns out our server wasn't one of the ones taken in the raid.

June 22, 8:42 AM PST

Service has stabilized and I've been able to turn on the API. Still not working: some archive links, search, global tag pages, RSS, tag clouds, user stats. I hope to get these back online during the day.

DigitalOne has confirmed that our server was one of the ones taken during the FBI raid. I have no reason to believe it had anything to do with us, but unfortunately these blade servers pack many to a single box.

bad security advice: Steve Gibson's password haystacks

Steve Gibson is recommending long, low-entropy passwords. This can give an advantage of convenience only in the short term. If there is a significant advantage to the password user, attackers will optimize for this type of low-entropy password by changing the search order.

Gibson implies in his reasoning that short passwords will be tried first. The efficient way to crack passwords is to try them roughly in the order of increasing entropy, not length. Increasing length is conventional, not essential.

Any gain in convenience you get by using long passwords with low entropy is lost when the attack methods change. Attackers adopt heuristics to target patterns in passwords, and you're back to relying on entropy. At that point, Gibson's approach just means uselessly typing more characters. The convenience gain is reversed.

Any public recommendation of a low entropy scheme, at any level of detail, is self-defeating. The more it's adopted, the faster it weakens relative to entropy.

Worse, if you were really getting the benefit of convenience by assuming dumb lexical order brute force attacks and using lower entropy than you should, you have to change your passwords to compensate for the loss of safety as the attack methods are adjusted to neutralize the length advantage.

Worse still, Steve Gibson is recommending low entropy for encryption keys, for example in WPA2 wireless encryption. When you use encryption for wireless transmission, you intentionally expose the cyphertext immediately, expecting it to be stored by keen attackers, and to be safe for some required period according to the strength of the key. In the long term, only the entropy of your key can reliably slow down decryption attempts. By the time you realize your key isn't as strong as you were led to believe, it's too late to change it. Your attacker already has your weakly encrypted data.

at technophobe: bad security advice: Steve Gibson's password haystacks

how to use this site

This site is a combination of a weblog and a wiki -- a bliki. I will be editing posts more than is usual on a blog. In addition to the usual feeds of new posts comments, you can follow the recent changes feed to get all updates.

Despite using wiki software, this site is not currently open to editing by other people.

I want a plain static version of the site on generic hosting with raw logs, but that isn't currently possible. Instead, I'm manually copying some static versions of pages to

first post

This is the first post to this example blog. To add new posts, just add files to the posts/ subdirectory, or use the web form.

This blog is powered by ikiwiki.