#legal files software review | Explore Tumblr posts and blogs

mostlysignssomeportents · 6 months ago

Text

Unpersoned

Support me this summer on the Clarion Write-A-Thon and help raise money for the Clarion Science Fiction and Fantasy Writers' Workshop!

My latest Locus Magazine column is "Unpersoned." It's about the implications of putting critical infrastructure into the private, unaccountable hands of tech giants:

https://locusmag.com/2024/07/cory-doctorow-unpersoned/

The column opens with the story of romance writer K Renee, as reported by Madeline Ashby for Wired:

https://www.wired.com/story/what-happens-when-a-romance-author-gets-locked-out-of-google-docs/

Renee is a prolific writer who used Google Docs to compose her books, and share them among early readers for feedback and revisions. Last March, Renee's Google account was locked, and she was no longer able to access ten manuscripts for her unfinished books, totaling over 220,000 words. Google's famously opaque customer service – a mix of indifferently monitored forums, AI chatbots, and buck-passing subcontractors – would not explain to her what rule she had violated, merely that her work had been deemed "inappropriate."

Renee discovered that she wasn't being singled out. Many of her peers had also seen their accounts frozen and their documents locked, and none of them were able to get an explanation out of Google. Renee and her similarly situated victims of Google lockouts were reduced to developing folk-theories of what they had done to be expelled from Google's walled garden; Renee came to believe that she had tripped an anti-spam system by inviting her community of early readers to access the books she was working on.

There's a normal way that these stories resolve themselves: a reporter like Ashby, writing for a widely read publication like Wired, contacts the company and triggers a review by one of the vanishingly small number of people with the authority to undo the determinations of the Kafka-as-a-service systems that underpin the big platforms. The system's victim gets their data back and the company mouths a few empty phrases about how they take something-or-other "very seriously" and so forth.

But in this case, Google broke the script. When Ashby contacted Google about Renee's situation, Google spokesperson Jenny Thomson insisted that the policies for Google accounts were "clear": "we may review and take action on any content that violates our policies." If Renee believed that she'd been wrongly flagged, she could "request an appeal."

But Renee didn't even know what policy she was meant to have broken, and the "appeals" went nowhere.

This is an underappreciated aspect of "software as a service" and "the cloud." As companies from Microsoft to Adobe to Google withdraw the option to use software that runs on your own computer to create files that live on that computer, control over our own lives is quietly slipping away. Sure, it's great to have all your legal documents scanned, encrypted and hosted on GDrive, where they can't be burned up in a house-fire. But if a Google subcontractor decides you've broken some unwritten rule, you can lose access to those docs forever, without appeal or recourse.

That's what happened to "Mark," a San Francisco tech workers whose toddler developed a UTI during the early covid lockdowns. The pediatrician's office told Mark to take a picture of his son's infected penis and transmit it to the practice using a secure medical app. However, Mark's phone was also set up to synch all his pictures to Google Photos (this is a default setting), and when the picture of Mark's son's penis hit Google's cloud, it was automatically scanned and flagged as Child Sex Abuse Material (CSAM, better known as "child porn"):

https://pluralistic.net/2022/08/22/allopathic-risk/#snitches-get-stitches

Without contacting Mark, Google sent a copy of all of his data – searches, emails, photos, cloud files, location history and more – to the SFPD, and then terminated his account. Mark lost his phone number (he was a Google Fi customer), his email archives, all the household and professional files he kept on GDrive, his stored passwords, his two-factor authentication via Google Authenticator, and every photo he'd ever taken of his young son.

The SFPD concluded that Mark hadn't done anything wrong, but it was too late. Google had permanently deleted all of Mark's data. The SFPD had to mail a physical letter to Mark telling him he wasn't in trouble, because he had no email and no phone.

Mark's not the only person this happened to. Writing about Mark for the New York Times, Kashmir Hill described other parents, like a Houston father identified as "Cassio," who also lost their accounts and found themselves blocked from fundamental participation in modern life:

https://www.nytimes.com/2022/08/21/technology/google-surveillance-toddler-photo.html

Note that in none of these cases did the problem arise from the fact that Google services are advertising-supported, and because these people weren't paying for the product, they were the product. Buying a $800 Pixel phone or paying more than $100/year for a Google Drive account means that you're definitely paying for the product, and you're still the product.

What do we do about this? One answer would be to force the platforms to provide service to users who, in their judgment, might be engaged in fraud, or trafficking in CSAM, or arranging terrorist attacks. This is not my preferred solution, for reasons that I hope are obvious!

We can try to improve the decision-making processes at these giant platforms so that they catch fewer dolphins in their tuna-nets. The "first wave" of content moderation appeals focused on the establishment of oversight and review boards that wronged users could appeal their cases to. The idea was to establish these "paradigm cases" that would clarify the tricky aspects of content moderation decisions, like whether uploading a Nazi atrocity video in order to criticize it violated a rule against showing gore, Nazi paraphernalia, etc.

This hasn't worked very well. A proposal for "second wave" moderation oversight based on arms-length semi-employees at the platforms who gather and report statistics on moderation calls and complaints hasn't gelled either:

https://pluralistic.net/2022/03/12/move-slow-and-fix-things/#second-wave

Both the EU and California have privacy rules that allow users to demand their data back from platforms, but neither has proven very useful (yet) in situations where users have their accounts terminated because they are accused of committing gross violations of platform policy. You can see why this would be: if someone is accused of trafficking in child porn or running a pig-butchering scam, it would be perverse to shut down their account but give them all the data they need to go one committing these crimes elsewhere.

But even where you can invoke the EU's GDPR or California's CCPA to get your data, the platforms deliver that data in the most useless, complex blobs imaginable. For example, I recently used the CCPA to force Mailchimp to give me all the data they held on me. Mailchimp – a division of the monopolist and serial fraudster Intuit – is a favored platform for spammers, and I have been added to thousands of Mailchimp lists that bombard me with unsolicited press pitches and come-ons for scam products.

Mailchimp has spent a decade ignoring calls to allow users to see what mailing lists they've been added to, as a prelude to mass unsubscribing from those lists (for Mailchimp, the fact that spammers can pay it to send spam that users can't easily opt out of is a feature, not a bug). I thought that the CCPA might finally let me see the lists I'm on, but instead, Mailchimp sent me more than 5900 files, scattered through which were the internal serial numbers of the lists my name had been added to – but without the names of those lists any contact information for their owners. I can see that I'm on more than 1,000 mailing lists, but I can't do anything about it.

Mailchimp shows how a rule requiring platforms to furnish data-dumps can be easily subverted, and its conduct goes a long way to explaining why a decade of EU policy requiring these dumps has failed to make a dent in the market power of the Big Tech platforms.

The EU has a new solution to this problem. With its 2024 Digital Markets Act, the EU is requiring platforms to furnish APIs – programmatic ways for rivals to connect to their services. With the DMA, we might finally get something parallel to the cellular industry's "number portability" for other kinds of platforms.

If you've ever changed cellular platforms, you know how smooth this can be. When you get sick of your carrier, you set up an account with a new one and get a one-time code. Then you call your old carrier, endure their pathetic begging not to switch, give them that number and within a short time (sometimes only minutes), your phone is now on the new carrier's network, with your old phone-number intact.

This is a much better answer than forcing platforms to provide service to users whom they judge to be criminals or otherwise undesirable, but the platforms hate it. They say they hate it because it makes them complicit in crimes ("if we have to let an accused fraudster transfer their address book to a rival service, we abet the fraud"), but it's obvious that their objection is really about being forced to reduce the pain of switching to a rival.

There's a superficial reasonableness to the platforms' position, but only until you think about Mark, or K Renee, or the other people who've been "unpersonned" by the platforms with no explanation or appeal.

The platforms have rigged things so that you must have an account with them in order to function, but they also want to have the unilateral right to kick people off their systems. The combination of these demands represents more power than any company should have, and Big Tech has repeatedly demonstrated its unfitness to wield this kind of power.

This week, I lost an argument with my accountants about this. They provide me with my tax forms as links to a Microsoft Cloud file, and I need to have a Microsoft login in order to retrieve these files. This policy – and a prohibition on sending customer files as email attachments – came from their IT team, and it was in response to a requirement imposed by their insurer.

The problem here isn't merely that I must now enter into a contractual arrangement with Microsoft in order to do my taxes. It isn't just that Microsoft's terms of service are ghastly. It's not even that they could change those terms at any time, for example, to ingest my sensitive tax documents in order to train a large language model.

It's that Microsoft – like Google, Apple, Facebook and the other giants – routinely disconnects users for reasons it refuses to explain, and offers no meaningful appeal. Microsoft tells its business customers, "force your clients to get a Microsoft account in order to maintain communications security" but also reserves the right to unilaterally ban those clients from having a Microsoft account.

There are examples of this all over. Google recently flipped a switch so that you can't complete a Google Form without being logged into a Google account. Now, my ability to purse all kinds of matters both consequential and trivial turn on Google's good graces, which can change suddenly and arbitrarily. If I was like Mark, permanently banned from Google, I wouldn't have been able to complete Google Forms this week telling a conference organizer what sized t-shirt I wear, but also telling a friend that I could attend their wedding.

Now, perhaps some people really should be locked out of digital life. Maybe people who traffick in CSAM should be locked out of the cloud. But the entity that should make that determination is a court, not a Big Tech content moderator. It's fine for a platform to decide it doesn't want your business – but it shouldn't be up to the platform to decide that no one should be able to provide you with service.

This is especially salient in light of the chaos caused by Crowdstrike's catastrophic software update last week. Crowdstrike demonstrated what happens to users when a cloud provider accidentally terminates their account, but while we're thinking about reducing the likelihood of such accidents, we should really be thinking about what happens when you get Crowdstruck on purpose.

The wholesale chaos that Windows users and their clients, employees, users and stakeholders underwent last week could have been pieced out retail. It could have come as a court order (either by a US court or a foreign court) to disconnect a user and/or brick their computer. It could have come as an insider attack, undertaken by a vengeful employee, or one who was on the take from criminals or a foreign government. The ability to give anyone in the world a Blue Screen of Death could be a feature and not a bug.

It's not that companies are sadistic. When they mistreat us, it's nothing personal. They've just calculated that it would cost them more to run a good process than our business is worth to them. If they know we can't leave for a competitor, if they know we can't sue them, if they know that a tech rival can't give us a tool to get our data out of their silos, then the expected cost of mistreating us goes down. That makes it economically rational to seek out ever-more trivial sources of income that impose ever-more miserable conditions on us. When we can't leave without paying a very steep price, there's practically a fiduciary duty to find ways to upcharge, downgrade, scam, screw and enshittify us, right up to the point where we're so pissed that we quit.

Google could pay competent decision-makers to review every complaint about an account disconnection, but the cost of employing that large, skilled workforce vastly exceeds their expected lifetime revenue from a user like Mark. The fact that this results in the ruination of Mark's life isn't Google's problem – it's Mark's problem.

The cloud is many things, but most of all, it's a trap. When software is delivered as a service, when your data and the programs you use to read and write it live on computers that you don't control, your switching costs skyrocket. Think of Adobe, which no longer lets you buy programs at all, but instead insists that you run its software via the cloud. Adobe used the fact that you no longer own the tools you rely upon to cancel its Pantone color-matching license. One day, every Adobe customer in the world woke up to discover that the colors in their career-spanning file collections had all turned black, and would remain black until they paid an upcharge:

https://pluralistic.net/2022/10/28/fade-to-black/#trust-the-process

The cloud allows the companies whose products you rely on to alter the functioning and cost of those products unilaterally. Like mobile apps – which can't be reverse-engineered and modified without risking legal liability – cloud apps are built for enshittification. They are designed to shift power away from users to software companies. An app is just a web-page wrapped in enough IP to make it a felony to add an ad-blocker to it. A cloud app is some Javascript wrapped in enough terms of service clickthroughs to make it a felony to restore old features that the company now wants to upcharge you for.

Google's defenstration of K Renee, Mark and Cassio may have been accidental, but Google's capacity to defenstrate all of us, and the enormous cost we all bear if Google does so, has been carefully engineered into the system. Same goes for Apple, Microsoft, Adobe and anyone else who traps us in their silos. The lesson of the Crowdstrike catastrophe isn't merely that our IT systems are brittle and riddled with single points of failure: it's that these failure-points can be tripped deliberately, and that doing so could be in a company's best interests, no matter how devastating it would be to you or me.

If you'd like an e ssay-formatted version of this post to read or share, here's a link to it on pluralistic.net, my surveillance-free, ad-free, tracker-free blog:

https://pluralistic.net/2024/07/22/degoogled/#kafka-as-a-service

Image: Cryteria (modified) https://commons.wikimedia.org/wiki/File:HAL9000.svg

CC BY 3.0 https://creativecommons.org/licenses/by/3.0/deed.en

#pluralistic #google #monopoly #big tech #locus magazine #crowdstrike #single points of failure

521 notes · View notes

agapi-kalyptei · 6 months ago

Text

crowdstrike hot take 5: so who was incompetent, really?

OK so it's the first Monday after the incident. CrowdStrike (CS) is being tight-lipped about the actual cause of the incident, which Microsoft estimates to have affected 8.5 million devices.

Here's an unconfirmed rumor: CS has been firing a lot of QA people and replacing them with AI. I will not base this post on that rumor. But...

Here's a fact: wikipedia listed 8429 CS employees as of April 2024. Now the updated page says they have 7925 employees in their "Fiscal Year 2024".

Anyway. Here's a semi-technical video if you want to catch up on what bluescreen and kernel-mode drivers are in the contexts of the CS incident by a former microsoft engineer. He also briefly mentions WHQL certification - a quality assurance option provided by Microsoft for companies who want to make sure their kernel drivers are top-notch.

Now conceptually, there are two types of updates - updates to a software itself, and a definition update. For a videogame, the software update would be a new feature or bugfixes, and content update would add a new map or textures or something. (Realistically they come hand in hand anyway.) For an antivirus/antimalware, a definition update is basically a list of red flags - a custom format file that instructs the main software on how to find threats.

The video mentions an important thing about the faulty update: while many people say "actually it wasn't a software update that broke it, it was a definition file", it seems that CS Falcon downloads an update file and executes code inside that file - thus avoiding the lengthy re-certification by Microsoft while effectively updating the software.

Some background: On audits in software

A lot of software development is unregulated. You can make a website, deploy it, and whether you post puppy pictures or promote terrorism, there's no one reviewing and approving your change. Laws still apply - even the puppy pictures can be problematic if they include humans who did not consent to have their photos taken and published - but no one's stopping you immediately from publishing them.

And a lot of software development IS regulated - you cannot make software for cars without certifications, you cannot use certain programming languages when developing software for spaceships or MRIs. Many industries like online casinos are regulated - IF you want to operate legally in most countries, you need a license, and you need to implement certain features ("responsible gaming"), and you must submit the actual source code for reviews.

This varies country by country (and state by state, in USA, Canada, etc) and can mean things like "you pay $200 for each change you want to put to production*", or it can mean "you have to pay $40'000 if you make a lot of changes and want to get re-certified".

*production means "web servers or software that goes to end customers", as opposed to "dev environment", "developer's laptop", "QA environment" or "staging" or "test machines", "test VMs" or any of the other hundreds way to test things before they go live.

The certification, and regular audits, involves several things:

Testing the software from user's perspective

Validating the transactions are reported correctly (so that you're not avoiding taxes)

Checking for the user-protecting features, like being able to set a monthly limit on depositing money, etc

Checking the source code to make sure customers are not being ripped off

Validating security and permissions, so a janitor can't download or delete production databases

Validating that you have the work process that you said you would - that you have Jira (or similar) tickets for everything that gets done and put to production, etc, and

...that you have Quality Assurance process in place, and that every change that goes to production is tested and approved

You can see why I highlighted the last point, right.

Now, to my knowledge, security software doesn't have its own set of legal requirements - if I want to develop an antivirus, I don't need a special permission from my government, I can write code, not test it at all, and start selling it for, idk for example $185 per machine it gets deployed to.

And here's the thing - while there certainly is a level of corruption / nepotism / favoritism in the IT industry, I don't think CloudStrike became one of the biggest IT security providers in the world just by sweet talking companies. While there isn't any legal regulation, companies do choose carefully before investing into 3rd party solutions that drastically affect their whole IT. What I mean, CloudStrike probably wasn't always incompetent.

(Another rumor from youtube comments: A company with ~1000 employees was apparently pressured by an insurance company to use CrowdStrike - whether it's a genuine recommendation, an "affiliate link" or just plain old bribery... I do not know.)

WHY what happened is still very baffling

See, this is what would be the process if I was running a security solutions company:

a team is assigned a task. this task is documented

the team discusses the task if it's non-trivial, and they work on it together if possible

solo developer taking the task is not ideal, but very common, since you cannot parallelize (split it between several people) some tasks

while developing, ideally the developer can test everything from start to finish on their laptop. If doing it on their laptop isn't possible, then on a virtual machine (a computer that runs only inside software, and can be more or less stored in a file, duplicated, restored to a previous version, backed up, etc, just by copying that file)

in case of automated software updates, you would have "update channels". In this case it means... like if you have a main AO3 account where you put finished things, and then you'd have another AO3 account where you only put beta fics. So in my hypothetical company, you'd have a testing update channel for each developer or each team. The team would first publish their work only on their update channel, and then a separate QA team could test only their changes.

Either way, after maybe-mostly-finishing the task, the code changes would be bundled in something called a "pull request" or "PR" or "merge request". It's basically a web page that displays what was the code before and after. This PR would be reviewed by people who have NOT worked on the change, so they can check and potentially criticize the change. This is one of the most impactful things for software quality.

Either before or after the PR, the change would go to QA. First it would be tested just in the team's update channel. If it passes and no more development is needed on it, it would go to a QA update channel that joins all recent changes across all teams.

After that, it would be released to an early access or prerelease update channel, sometimes called a canary deploy. Generally, this would be either a limited amount - maybe 100 or 1000 computers, either used internally, or semi-randomly spread across real clients, or it could be as much as 10% of all customers' computers.

THEN YOU WAIT AND SEE IF THERE ARE NO ERROR REPORTS.

Basically ALL modern software (and websites! all the cookies!) collect "metrics" - like "how often each day is this running", or "did our application crash"

you absolute MUST have graphs (monitoring - sometimes this is a part of discipline called "reliability engineering") that show visually things like the number of users online, how many customers are lagging behind with updates, how many errors are reported, how many viruses are being caught by our software. If anything goes up or down too much, it's a cause for concern. If 10% of your customers are suddenly offline after a canary deploy is out, you're shitting your pants.

ONLY after waiting for a while to see everything is okay, you can push the update to ALL clients. It is unfathomable how anyone would do that straight away, or maybe how someone could do it without proper checks, or how the wrong thing got sent to the update.

As ClownStrike is still silent about the actual cause of the issue, we can only make guesses about how much they circumvented their own Quality Assurance process to push the faulty update to millions of computers.

It gets worse

Here's the thing: CrowdStrike itself allows users to create computer groups and let them choose the update channel. You, as a business customer, can say

these 100 unimportant laptops will have the latest update

these important servers will have N-1 update (one version behind)

the rest of the company will have N-2 update (two update versions behind)

CrowdStrike has ignored those settings. According to some youtube comments, supposedly they pushed the update to "only" 25% of all devices - which is worrying to think this could have gone even worse.

Third time isn't the charm

And hey, do you know what happened two years before CrowdStrike was founded? The CEO George Kurtz was at the time, in 2010, the CTO of McAfee, the controversial / crappy security company (IMO offering one of the worst antivirus programs of all times, that was aggressively pushed through bundled OEM deals). In both 2009 and 2010 their enterprise software deleted a critical operating system file and bricked a lot of computers, possibly hundreds of thousands.

And yes, the trigger wasn't an update to the antivirus itself, but a faulty "definition update". Funny coincidence, huh.

#crowdstrike #long post #george kurtz #mcafee

12 notes · View notes

mariacallous · 6 months ago

Text

About three years ago, some of Google’s security engineers came to company attorneys with a gigantic mess.

The security team had discovered that Google unwittingly was enabling the spread of malicious software known as Glupteba. The malware had corrupted more than 1 million Windows computers, turning them into vehicles to mine cryptocurrency and spy on users. By hijacking Google accounts, purchasing Google ads to lure in users, and misusing Google cloud tools, the hackers behind the operation were on their way to infecting even more computers.

Tech giants such as Google long have had a playbook for destroying botnets like Glupteba. They call up fellow companies and US authorities and together coordinate a massive takedown operation. Sometimes, the cops file criminal charges. But this time around, Google’s legal team recommended an approach that the company hadn’t pursued in years: Sue the hackers for money.

The eventual lawsuit against two Russian men and a dozen unnamed individuals allegedly behind Glupteba would be the first of a run of at least eight cases that Google has filed against various hackers and scammers, adding to a sporadic few filings in the past. The tactic, which Google calls affirmative litigation, is meant to scare off would-be fraudsters and generate public awareness about scams. Now, for the first time, Google is opening up about this strategy.

Leaders of Google’s security and legal teams tell WIRED they believe going after people in court has paid off. Google hasn’t yet lost a case; it has collected almost all of the more than $2 million that it has won through the legal process, and forced hundreds of companies or websites to shut down. The awards are trivial to Google and its parent Alphabet, a $2 trillion company, but can be devastating for the defendants.

“We’re disrupting bad actors and deterring future activity, because it’s clear that the consequences and the costs are high,” says Chester Day, lead of the three-person “litigation advance” team at Google that’s focused on taking people to court. Google, he adds, is “making it clear that we’re willing to invest our resources into taking action to protect our users.”

Google blog posts and similar content about the lawsuits and the underlying scams have drawn more than 1 billion views, according to the company. Google representatives say that the awareness increases vigilance among consumers and shrinks the pool of vulnerable targets. “Educating people about how these crimes work may be the best thing we can do to stop the crime,” says Harold Chun, director of Google’s security legal team.

Several Big Tech companies have pursued affirmative litigation, though not necessarily under that name and with varying strategies. Microsoft has filed more than two dozen lawsuits since 2008 with a focus on securing court permission to dismantle botnets and other hacking tools. Amazon has been a prolific complainant since 2018, filing at least 42 cases over counterfeit products, 38 for reviews fraud, three for copyright abuse, and, recently, two for bogus product returns. Amazon has been filing so many counterfeit cases, in fact, that the federal court in western Washington assigned three magistrate judges to focus on them.

Since 2019, Meta has filed at least seven counterfeiting or data theft cases, with settlements or default judgments in four so far, including one in which it won nearly $300,000 in damages. Like Meta, Apple has sued Israeli spyware developer NSO Group for alleged hacking. (NSO is fighting the lawsuits. Trials are scheduled for next year.)

Some attorneys who’ve studied how the private sector uses litigation to enforce the law are skeptical about the payoff for the plaintiffs. David Noll, a Rutgers University law professor and author of a forthcoming book on state-supported private enforcement, Vigilante Nation, says it’s difficult to imagine that companies could bring the volume of cases needed to significantly stop abuse. “The fact that there is a small chance you might be named in a suit isn’t really going to deter you,” he says.

Noll believes the big risk is that Google and other tech companies could be burdening the court system with cases that ultimately secure some favorable headlines but do less to make the internet safer than the companies could achieve through investing in better antifraud measures.

Still, of the six outside legal experts who spoke to WIRED, all of them say that overall Google deserves credit for complementing the work of underfunded government agencies that are struggling to rein in online abuse. At an estimated hundreds of thousands of dollars per case, it’s a low-risk endeavor for the tech giant, former prosecutors say.

“Reliable and regular enforcement when folks step outside the law brings us closer to a society where less of us are harmed,” says Kathleen Morris, resident scholar of law at UC Berkeley’s Institute of Governmental Studies. “This is healthy and robust collaboration on law enforcement by the public and private sectors.”

Google’s general counsel, Halimah DeLaine Prado, tells WIRED she wants to send a message to other companies that the corporate legal department can do more than be the team that says “no” to wild ideas. “Legal can be a proactive protector,” she says.

Marketing Scams

DeLaine Prado says that from its earliest days, Google has considered pursuing litigation against people abusing its platforms and intellectual property. But the first case she and other leaders within Google recall filing was in 2015. Google accused Local Lighthouse, a California marketing company, of placing robocalls to dupe small businesses into paying to improve their ranking in search results. Google alleged trademark infringement, unfair competition, and false advertising. As part of a settlement, Lighthouse stopped the problematic calls.

Since then, Google has filed complaints against five similar allegedly scammy marketers, with three of them ending in settlements so far. A Florida business and its owners agreed to pay Google $850,000, and a Los Angeles man who allegedly posted 14,000 fake reviews on Google Maps agreed to stop. Terms of the third deal, with an Illinois company, were not disclosed in court files, but Google spokesperson José Castañeda says it involved a seven-figure payment to Google.

Castañeda says Google has donated all the money it has collected to recipients such as the Better Business Bureau Institute, the National Consumers League, Partnership to End Addiction, Cybercrime Support Network, and various US chambers of commerce.

Another genre of cases has targeted individuals submitting false copyright complaints to Google to get content removed from the company’s services. A man in Omaha, Nebraska, whom Google accused of falsely claiming ownership of YouTube videos to extort money from their real owners, agreed to pay $25,000 to Google. Two individuals in Vietnam sued by Google never responded—a common issue.

In 2022, Google won default judgment against an individual in Cameroon who never responded to charges that he was using Gmail to scam people into paying for fake puppies, including a $700 basset hound. After the lawsuit, complaints about the scammer dried up, according to Google.

But legal experts say the most fascinating cases of Google’s affirmative litigation are four that it filed against alleged computer hackers. The suits emerged after months of investigation into Glupteba.

Security engineers at Google realized that eradicating Glupteba through the typical approach of taking down associated servers would be difficult. The hackers behind it had designed a backup system involving a blockchain that enabled Glupteba to resurrect itself and keep pilfering away.

That’s in part why Google’s attorneys suggested suing. Chun, the security legal director, had pursued cases against botnets as a federal prosecutor. “I thought this would be something good to do from a civil angle for a company as well,” he says. “Law enforcement agencies have limits on what they can do. And Google has a large voice and the litigation capacity.”

Chun and other attorneys cautioned their bosses that the hackers might use the lawsuit to reverse engineer Google’s investigation methods and make Glupteba more evasive and resilient. But ultimately, DeLaine Prado, who has final say over lawsuits, signed off. Chun says his former colleagues from the government applauded the complaint.

Google sued Dmitry Starovikov and Alexander Filippov, alleging that they were the Russia-based masterminds behind Glupteba after linking websites associated with the virus to Google accounts in their name. The search giant accused the duo (and unknown co-conspirators) of violating the Racketeer Influenced and Corrupt Organizations Act (RICO), the Computer Fraud and Abuse Act, and the Electronic Communications Privacy Act. The lawsuit also alleged a trademark law violation for hiding Glupteba in a tool that claimed to download videos from YouTube.

Google argued that it had suffered substantial harm, having never received payment for ads it had sold to the hackers, who allegedly were using fraudulent credit cards. Users also had their experiences with Google services degraded, putting them at risk and impairing the value of the company’s brand, according to the lawsuit.

In court papers, Starovikov and Filippov stated they learned of the lawsuit only through friends and then decided to hire a New York attorney, Igor Litvak, to fight on their behalf. The defendants initially offered innocent explanations for their software related to Glupteba and said that their projects had not targeted the US market. At one point, they countersued Google for $10 million, and at another, they allegedly demanded $1 million each to hand over the keys to shut down the botnet. They eventually denied the allegations against them.

Following an ordeal over whether the defendants could obtain Russian passports, sit for depositions in Europe, and turn over work files, Google’s attorneys and Litvak traded accusations of lying. In 2022, US district judge Denise Cote sided with Google. She found in a 48-page ruling that the defendants “intentionally withheld information” and “misrepresented their willingness and ability” to disclose it to “avoid liability and further profit” from Glupteba. “The record here is sufficient to find a willful attempt to defraud the Court,” Cote wrote.

Cote sanctioned Litvak, and he agreed to pay Google $250,000 in total through 2027 to settle. The jurist also ordered Starovikov and Filippov to pay nearly $526,000 combined to cover Google’s attorneys fees. Castañeda says Google has received payment from all three.

Litvak tells WIRED that he still disagrees with the judge's findings and that Russia’s strained relationship with the US may have weighed on whom the judge trusted. “It’s telling that after I filed a motion to reconsider, pointing out serious issues with the court’s decision, the court went back on its original decision and referred [the] case to mediation, which ended with … me not having to admit to doing anything wrong,” he says in an email.

Google’s Castañeda says the case achieved the intended effect: The Russian hackers stopped misusing Google services and shut down their marketplace for stolen logins, while the number of Glupteba-infected computers fell 78 percent.

Not every case delivers measurable results. Defendants in Google’s other three hacking cases haven’t responded to the accusations. That led to Google last year winning default judgment against three individuals in Pakistan accused of infecting more than 672,000 computers by masquerading malware as downloads of Google’s Chrome browser. Unopposed victories are also expected in the remaining cases, including one in which overseas app developers allegedly stole money through bogus investment apps and are being sued for violating YouTube Community Guidelines.

Royal Hansen, Google’s vice president for privacy, safety, and security engineering, says lawsuits that don’t result in defendants paying up or agreeing to stop the alleged misuse still can make alleged perpetrators’ lives more difficult. Google uses the rulings as evidence to persuade businesses such as banks and cloud providers to cut off the defendants. Other hackers might not want to work with them knowing they have been outed. Defendants also could be more cautious about crossing international borders and becoming newly subject to scrutiny from local authorities. “That’s a win as well,” Hansen says.

More to Come

These days, Google’s small litigation advance team meets about twice a week with other units across the company to discuss potential lawsuits. They weigh whether a case could set a helpful precedent to give extra teeth to Google’s policies or draw awareness to an emerging threat.

Team leader Day says that as Google has honed its process, filing cases has become more affordable. That should lead to more lawsuits each year, including some for the first time potentially filed outside the US or representing specific users who have been harmed, he says.

The tech giants' ever-sprawling empires leave no shortage of novel cases to pursue. Google’s sibling company Waymo recently adopted the affirmative litigation approach and sued two people who allegedly smashed and slashed its self-driving taxis. Microsoft, meanwhile, is weighing cases against people using generative AI technology for malicious or fraudulent purposes, says Steven Masada, assistant general counsel of the company’s Digital Crimes Unit.

The questions remain whether the increasing cadence of litigation has left cybercriminals any bit deterred and whether a broader range of internet companies will go on the legal offense.

Erin Bernstein, who runs the California office of Bradley Bernstein Sands, a law firm that helps governments pursue civil lawsuits, says she recently pitched a handful of companies across industries on doing their own affirmative litigation. Though none have accepted her offer, she’s optimistic. “It will be a growing area,” Bernstein says.

But Google’s DeLaine Prado hopes affirmative litigation eventually slows. “In a perfect world, this work would disappear over time if it’s successful,” she says. “I actually want to make sure that our success kind of makes us almost obsolete, at least as it relates to this type of work.”

10 notes · View notes

videogamesincolor · 3 months ago

Text

"[...]The argument for the exemption received considerable pushback from agencies including the Entertainment Software Association, which argued that proposed controls over who would be allowed to access exempted software, and for what reason, were unclear. A "human review" requirement was "at best incomplete," the ESA said, and that by not including more specific requirements in the proposal, supporters of the exemption were "trying to reserve almost complete discretion in how they would provide access to preserve[d] games." The ESA also claimed that "there remains a substantial market for classic games," and that allowing "widespread remote access to preserved games with minimal supervision would present a serious risk to an important market." In the end, Shira Perlmutter, register of copyrights and director of the US Copyright Office, was not swayed by the arguments in favor of game preservation, ruling that proponents of videogame preservation "have not satisfied their burden to demonstrate that the requested uses are or are likely to be noninfringing.""

Like, I hate to break it to game preservationists, but they're gonna have to "become ungovernable" and push the issue until the Copyright Office doesn't have a public or a corporate leg to stand on.

That's the only way history gets preserved in the face of entities who are still trying their damnedest to criminalize reselling and sharing games secondhand the same way they succeeded with file sharing back in the 2010s.

These people don't care about preservation, they just wanna consume nickels and dimes.

#videogamesincolor #video game history #game preservation #copyright #copyright office #capitalism #media manipulation #pc gamer

3 notes · View notes

creatiosoftsolutions · 20 days ago

Text

How To Buy Poker Game Source Code?

The poker industry is a goldmine of opportunities with millions of players worldwide. But launching a successful poker app can feel daunting, especially if you’re starting from scratch. That’s where buying a poker game source code comes in it’s the perfect shortcut to a feature-rich, professional platform that’s ready to customize and deploy.

This guide will help you understand the essentials of buying poker source code, its benefits, and the factors to watch out for during the process.

What is a Poker Game Source Code?

A poker game source code is the backbone of any poker app or platform. It’s a collection of programming instructions and files that define how the app operates, looks, and feels. Think of it as the blueprint for your poker application. It controls everything from the user interface to game logic, security features, and performance.

When you buy poker source code, you purchase a ready-made framework that developers can customize and refine according to your needs. This saves you from building the platform from scratch and allows you to focus on branding and user experience.

Additional Read: How to Make a Poker App?

Benefits of Buying Poker App Source Code

Investing in a pre-built poker app source code offers several advantages:

Faster Time-to-Market

Building a poker app from scratch can take months or even years. With a ready-made poker game source code, you can launch your platform much faster, allowing you to capture market opportunities immediately.

Cost-Effective Solution

Developing an app involves hiring skilled developers, designers, and testers, which can be expensive. You can significantly reduce development costs by purchasing a poker app source code.

Customizability

A good poker source code allows for easy customization. You can modify features, design elements, and game rules to align with your brand and target audience.

Proven Framework

Established poker game source codes have already been tested and optimized, minimizing the chances of bugs and errors. This ensures a smoother gaming experience for your users.

Compliance with Regulations

Reputable poker app source codes often come with built-in compliance features to meet legal requirements, making operating in multiple jurisdictions easier.

Things to Keep in Mind Before Buying Poker Source Code

When you decide to buy a poker game source code, it’s essential to evaluate certain factors to ensure you’re making a wise investment:

Vendor Reputation

Research the vendor thoroughly. Look for reviews, testimonials, and case studies to verify their reliability. A reputable vendor ensures high-quality code and dependable customer support.

Code Quality

Inspect the quality of the poker app source code. Poorly written code can lead to performance issues and security vulnerabilities. Make sure the code is clean, modular, and easy to customize.

Features and Scalability

Check whether the source code includes essential features like multiplayer support, anti-fraud mechanisms, and smooth gameplay. Also, make sure it is scalable to handle growing users as your platform grows.

Customization Options

Your poker app should reflect your unique brand identity. Confirm that the source code offers flexibility for design and feature customization.

Compliance and Licensing

Ensure the poker game source code complies with local gaming regulations. Verify that you receive proper licensing to avoid legal complications.

Common Mistakes to Avoid

Avoiding these mistakes can save you from unnecessary hassles and ensure a smooth buying process:

Choosing the Cheapest Option

Opting for the cheapest poker source code may seem tempting, but it often results in low-quality software with hidden issues. Always prioritize quality over cost.

Overlooking Documentation

Documentation is crucial for understanding the functionality and integration process. Never purchase a poker app source code without complete and clear documentation.

Ignoring Support Services

Technical support is vital for resolving issues quickly. Ensure the vendor provides reliable post-purchase support.

Neglecting Security Features

Security is non-negotiable in online poker platforms. Ensure the code includes robust security measures like encryption and fraud detection.

Why Choose Creatiosoft for Poker Source Code?

We stand out as a trusted name in the industry. Since 2012, we have been delivering top-notch poker game source codes to clients worldwide. Here’s why Creatiosoft is your best choice:

Proven Expertise

With over a decade of experience, we understand the complexities of poker app development. Our team ensures you get a reliable and scalable source code tailored to your needs.

Feature-Rich Solutions

Our poker app source code has advanced features, including multiplayer functionality, AI-powered analytics, secure payment gateways, and responsive design.

Customization and Branding

We offer complete flexibility to customize the platform according to your business model, ensuring your brand stands out in the competitive market.

Top-Notch Support

At Creatiosoft, we provide ongoing technical support to ensure your platform runs smoothly.

Compliance Ready

Our poker game source code adheres to legal and regulatory standards, making operating globally easier.

Final Words

Buying a poker app source code is a brilliant idea for businesses looking to enter in the online poker industry. It saves time, reduces costs, and provides a solid foundation for building a successful platform. With a reliable provider, you can be confident that your investment will deliver exceptional quality and long-term scalability.

#poker source code #poker game source code #poker game #poker app #source code

2 notes · View notes

mightyflamethrower · 1 year ago

Text

A robotic malfunction at Tesla’s Giga Texas factory resulted in a violent encounter where an engineer was attacked by one of the company’s robots, resulting in significant injuries and leaving a ‘trail of blood.’

According to the Daily Mail, while working on software programming for non-functional Tesla robots, the engineer was suddenly pinned against a surface by a robot tasked with manipulating aluminum car components, with its metal claws inflicted an injury that left an ‘open wound’ on the worker’s left hand.

“Two of the robots, which cut car parts from freshly cast pieces of aluminum, were disabled so the engineer and his teammates could safely work on the machines. A third one, which grabbed and moved the car parts, was inadvertently left operational, according to two people who watched it happen. As that robot ran through its normal motions, it pinned the engineer against a surface, pushing its claws into his body and drawing blood from his back and his arm, the two people said,” The Information reported.

Quick action was taken by Tesla workers who intervened and triggered the emergency shutdown button to halt the malfunctioning robot and prevent further injury to the engineer.

This incident came to light through a 2021 injury report filed to Travis County and federal regulators, which Daily Mail reviewed. Tesla is legally required to report such incidents to ensure the continuation of state-provided tax incentives.

Despite claims by Tesla that the engineer did not require time off following the event, an attorney representing the factory’s contract laborers suggests otherwise. Evidence hints at possible underreporting of workplace accidents, casting doubt on the official records.

Daily Mail reported:

The injury report, which Tesla must submit to authorities by law to maintain its lucrative tax breaks in Texas, claimed the engineer did not require time off of work. But one attorney who represents Tesla’s Giga Texas contract workers has told DailyMail.com she believes, based on her conversations with workers there, that the amount of injuries suffered at the factory is going underreported. This underreporting, the attorney said, even included the September 28, 2021 death of a construction worker, who had been contracted to help build the factory itself. ‘My advice would be to read that report with a grain of salt,’ the attorney, Hannah Alexander of the nonprofit Workers Defense Project, told DailyMail.com. ‘We’ve had multiple workers who were injured,’ Alexander said, ‘and one worker who died, whose injuries or death are not in these reports that Tesla is supposed to be accurately completing and submitting to the county in order to get tax incentives.’

Elon Musk has yet to issue a formal statement in response to these allegations.

Just recently, Tesla revealed the second generation of its humanoid robot, Optimus Gen 2.

Optimus Gen 2 stands at a height of 5 feet 11 inches and weighs in at a light 121 pounds, shedding 22 pounds from the first model. It’s not just its frame that’s been upgraded; this robot can reach speeds up to 5 mph, which is a substantial 30% increase in velocity.

youtube

#Youtube

7 notes · View notes

scbhagat · 6 months ago

Text

Hassle-Free GST Return Filing Services in Delhi by SC Bhagat & Co.

Introduction: Navigating the complexities of Goods and Services Tax (GST) return filing can be daunting for businesses. To ensure compliance and avoid penalties, it's crucial to have a reliable partner who can manage your GST returns efficiently. SC Bhagat & Co. offers top-notch GST return filing services in Delhi, helping businesses streamline their tax processes and stay compliant with the latest regulations. In this blog, we'll explore the importance of GST return filing, the services provided by SC Bhagat & Co., and why they are the best choice for your business in Delhi. Why GST Return Filing is Important GST return filing is a mandatory requirement for businesses registered under the GST regime in India. Regular and accurate filing of GST returns is essential for several reasons: Compliance: Ensures adherence to tax laws and regulations, avoiding legal issues and penalties. Input Tax Credit (ITC): Facilitates the claim of ITC, which helps reduce the overall tax liability. Business Credibility: Enhances the credibility and trustworthiness of your business among clients and stakeholders. Avoid Penalties: Prevents hefty fines and interest charges that result from late or incorrect filing. Comprehensive GST Return Filing Services by SC Bhagat & Co. SC Bhagat & Co. provides a full range of GST return filing services in Delhi, tailored to meet the unique needs of your business. Here’s what you can expect: 1. Accurate GST Return Preparation Our experienced professionals ensure that your GST returns are prepared accurately, reflecting all transactions and complying with the latest GST laws. We handle all types of GST returns, including GSTR-1, GSTR-3B, GSTR-9, and more. 2. Timely Filing Timely filing is crucial to avoid penalties and interest charges. SC Bhagat & Co. guarantees prompt filing of your GST returns, keeping track of all deadlines and ensuring that you never miss a due date. 3. Error-Free Data Management We meticulously review all your financial data to ensure that your GST returns are error-free. Our team double-checks every detail, reducing the risk of discrepancies and ensuring smooth processing. 4. ITC Reconciliation Our experts assist in reconciling your Input Tax Credit (ITC) to ensure you claim the correct amount, maximizing your tax benefits and minimizing liabilities. 5. Regular Updates and Compliance GST laws and regulations are subject to frequent changes. SC Bhagat & Co. stays updated with the latest amendments and ensures that your GST returns comply with the current rules and guidelines. 6. Personalized Support We provide personalized support to address any queries or issues you may have regarding GST return filing. Our team is always available to assist you with expert advice and solutions. Why Choose SC Bhagat & Co. for GST Return Filing Services in Delhi Expertise and Experience With years of experience in tax consulting, SC Bhagat & Co. has a deep understanding of GST regulations and filing procedures. Our expertise ensures that your GST returns are handled professionally and accurately. Client-Centric Approach We prioritize our clients' needs and provide tailored solutions to meet their specific requirements. Our client-centric approach ensures that you receive the best possible service and support. Advanced Technology SC Bhagat & Co. leverages advanced technology and software to streamline the GST return filing process. Our tech-driven approach enhances efficiency and accuracy, saving you time and effort. Proven Track Record Our proven track record of successful GST return filings speaks for itself.

2 notes · View notes

360accounting · 1 year ago

Text

How to Make Sure You're Withholding and Reporting Your Taxes Correctly

Taxes are an inevitable part of life for most individuals and businesses. Whether you're a salaried employee, a freelancer, or a business owner, understanding how to withhold and report your taxes correctly is crucial to avoid potential legal troubles and financial headaches down the road. In this article, we will explore the key steps and considerations to ensure that you're handling your taxes in a responsible and compliant manner.

Know Your Tax Obligations

The first and most critical step in ensuring you're withholding and Outsource Management Reporting your taxes correctly is to understand your tax obligations. These obligations vary depending on your employment status and the type of income you earn. Here are some common categories of taxpayers:

1. Salaried Employees

If you're a salaried employee, your employer typically withholds income taxes from your paycheck based on your Form W-4, which you fill out when you start your job. It's essential to review and update your W-4 regularly to ensure that your withholding accurately reflects your current financial situation. Major life events like marriage, having children, or significant changes in your income should prompt you to revisit your W-4.

2. Freelancers and Self-Employed Individuals

Freelancers and self-employed individuals often have more complex tax obligations. You are responsible for estimating and paying your taxes quarterly using Form 1040-ES. Keep detailed records of your income and expenses, including receipts and invoices, to accurately report your earnings and deductions.

3. Small Business Owners

If you own a small business, your sales tax responsibilities extend beyond your personal income. You must separate your business and personal finances, keep meticulous records of all business transactions, and file the appropriate business tax returns. The structure of your business entity (e.g., sole proprietorship, partnership, corporation) will determine the specific tax forms you need to file.

4. Investors and Property Owners

Investors and property owners may have to report income from dividends, interest, capital gains, or rental properties. These income sources have their specific tax reporting requirements, and it's essential to understand and comply with them.

Keep Accurate Records

Regardless of your tax situation, maintaining accurate financial records is essential. Detailed records make it easier to report your income and deductions correctly, substantiate any claims you make on your tax return, and provide documentation in case of an audit. Here are some record-keeping tips:

Organize Your Documents: Create a system to store your financial documents, including receipts, invoices, bank statements, and tax forms. Consider using digital tools for easier record keeping.

Track Income and Expenses: Keep a ledger or use accounting software to record all income and expenses related to your financial activities. Categorize expenses correctly to maximize deductions and credits.

Retain Documents for Several Years: The IRS typically has a statute of limitations for auditing tax returns, which is generally three years. However, in some cases, it can extend to six years or indefinitely if fraud is suspected. To be safe, keep your tax records for at least seven years.

Understand Deductions and Credits

Deductions and credits can significantly reduce your tax liability. Deductions reduce your taxable income, while credits provide a dollar-for-dollar reduction of your tax bill. Familiarize yourself with common deductions and credits that may apply to your situation:

Standard Deduction vs. Itemized Deductions: Depending on your filing status and financial situation, you can choose between taking the standard deduction or itemizing your deductions. Itemizing requires more documentation but can result in greater tax savings.

Tax Credits: Explore available tax credits, such as the Earned Income Tax Credit (EITC), Child Tax Credit, and Education Credits. These credits can provide substantial savings, especially for low- to moderate-income individuals and families.

Business Expenses: If you're self-employed or a small business owner, be aware of deductible business expenses, including office supplies, travel expenses, and home office deductions.

Seek Professional Assistance

Tax laws are complex and subject to change. Seeking professional assistance from a certified tax professional or CPA (Certified Public Accountant) can be a wise investment. Tax professionals can help you:

Maximize Deductions: They are well-versed in the intricacies of tax law and can identify deductions and credits you might overlook.

Ensure Compliance: Tax professionals can ensure that you are complying with current tax laws and regulations, reducing the risk of costly errors or audits.

Provide Tax Planning: They can help you create a tax-efficient strategy to minimize your tax liability in the long term.

Represent You in Audits: If you face an audit, a tax professional can represent you and help navigate the process.

File Your Taxes on Time

Filing your taxes on time is crucial to avoid penalties and interest charges. The tax filing deadline for most individuals is April 15th. However, if you need more time, you can file for an extension, which typically gives you until October 15th to submit your return. Keep in mind that an extension to file is not an extension to pay any taxes owed, so pay as much as you can by the original deadline to minimize interest and penalties.

Consider Electronic Filing

Electronic filing (e-filing) is a secure and convenient way to submit your tax return to the IRS. It reduces the risk of errors and ensures faster processing and quicker refunds, if applicable. Many tax software programs offer e-filing options, making it easy for individuals and businesses to submit their returns electronically.

Stay Informed and Adapt

Tax laws can change from year to year, so staying informed is essential. Follow updates from the IRS and consult outsourcing sales tax services professionals or resources to understand how changes in tax laws may affect you. Be proactive in adapting your tax strategies to maximize savings and remain compliant with current regulations.

In conclusion, withholding and reporting your taxes correctly is a responsibility that should not be taken lightly. Understanding your tax obligations, keeping accurate records, leveraging deductions and credits, seeking professional assistance when needed, and filing on time are essential steps to ensure a smooth and compliant tax-filing experience. By following these guidelines, you can navigate the complexities of the outsourcing sales tax services system with confidence and peace of mind. Remember that taxes are a fundamental part of our society, and paying them correctly ensures that essential public services and infrastructure are funded for the benefit of all.

#outsourced sales tax services #outsourced accounting services #reconciliation services in usa

2 notes · View notes

happychirps · 2 years ago

Text

Make your photographs work for you and earn money.

Selling your photos on stock websites can be a great way to earn additional income. Selling stock photography through mobile devices and DSLRs has become increasingly popular and accessible with the advancement of digital technology. Here are some steps you can take to get started:

Research Stock Websites: There are numerous stock websites where you can sell your photos, such as Shutterstock, Adobe Stock, Freepik, Getty Images and iStock. Look into their submission guidelines, royalty rates, and popularity among buyers.

Assess Market Demand: Before you start shooting and uploading photos, it's important to understand what types of images are in demand. Take a look at the popular categories on stock websites and analyze the types of images that sell well. This will help you focus your efforts and maximize your chances of making sales.

Capture Marketable Photos: Aim to capture high-quality, visually appealing images that have commercial value. Consider popular themes like travel, nature, lifestyle, business, and technology. Ensure your photos are well-lit, properly composed, and have good resolution.

Edit and Enhance: Post-processing your photos can significantly improve their appeal. Use photo editing software like Adobe Lightroom or Photoshop to enhance colors, adjust exposure, and remove any imperfections. However, be careful not to over-edit and maintain a natural look.

Keywording and Descriptions: When uploading your photos, provide accurate and descriptive titles, captions, and keywords. This will help potential buyers find your images when they search for specific topics. Be thorough but relevant in your keyword selection.

Follow Submission Guidelines: Each stock website has its own set of submission guidelines, so make sure to review them carefully. Pay attention to the technical specifications, image size requirements, and file formats they accept. Failure to comply with these guidelines may result in your photos being rejected.

Model and Property Releases: If your photos contain recognizable individuals or private property, you may need model or property releases. These releases grant you legal permission to sell the images commercially. Familiarize yourself with the rules and requirements surrounding model and property releases on the stock websites you choose.

Regularly Upload New Content: Consistency is key to success in stock photography. Regularly upload new photos to keep your portfolio fresh and increase your visibility in search results. By building a diverse and substantial collection of images, you can attract a wider range of buyers.

Track Sales and Optimize: Monitor your sales and analyze the performance of your images. Pay attention to which photos are selling well and which ones are not. This data will help you refine your future photography efforts and focus on the subjects and styles that resonate with buyers.

Be Patient and Persistent: Selling photos on stock websites can take time and perseverance. It may take a while before you start seeing significant income. Stay motivated, continue to improve your skills, and adapt to the changing demands of the market.

Remember, while selling photos on stock websites can be a lucrative venture, it's also a competitive industry. Success often comes with time, effort, and a strong understanding of what buyers are looking for.

#photographers on tumblr #photography #photos #i sell pictures #i sell custom pics #stock images #100 days of productivity #stock photos #bird photos #bird photography #birdlovers #birds nature #birds of prey

2 notes · View notes

hayden-fluff · 2 years ago

Text

Can I just say how much of an absolute pain in the ass it is to be handed a proprietary software and file format for video surveillance with almost 40 files each with a few channels, just to be told "Yeah, you have to use our software to manually export all of these to a standard format teehee~"

This should like actually be illegal, it only makes the legal process of getting these video submitted for evidence review even longer than it already is because someone has to sit there and manually convert it. Often times on very slow, dated computers, so it takes actual hours to render out the new converted video file.

Oh, and to put the icing on top of the cake, some of these don't even let you export the video! The best way to get them to a standard format is, I kid you not, capture the screen and let the video play back, and sometimes these videos are multiple hours long, each.

Part of me wonders just how much faster the legal processes would be if video were just provided to us as a standard format and everyone used somewhat modern systems capable of handing these video loads.

#this is a reoccurring thing that happens at least once every few weeks

2 notes · View notes

acquaintsofttech · 2 days ago

Text

A Behind-the-Scenes Look at a Laravel Security Audit

Introduction

Laravel is one of the most popular PHP frameworks, and it is likely to continue to be that way for some time to come. There are many reasons why this is so, like its syntax, robust features, scalability, and, most of all, its high level of security.

Security remains a paramount concern for developers and businesses alike, irrespective of the selection of technology. Laravel, like any other framework, is not immune to security threats.

Conducting an in-depth security audit for a Laravel application involves a comprehensive review of various security aspects to ensure the application is robust and secure.

Security breaches can have devastating consequences for businesses, including data theft, financial loss, and reputation damage. This blog offers a detailed behind-the-scenes look at the process of conducting a Laravel security audit.

What is Laravel Security Audit?

A Laravel security audit systematically examines an application for potential vulnerabilities, misconfigurations, and adherence to security best practices. It ensures that the application aligns with industry standards, such as OWASP Top 10, and safeguards sensitive data. Securing web applications is critical in today's environment of rising cyber threats. Regular security audits are essential to ensure comprehensive protection.

One can assess the application security via a Laravel Security Audit. It helps in evaluating a Laravel application to identify and address vulnerabilities and potential risks that could compromise its security. The audit ensures the application adheres to best practices, protecting sensitive data and preventing cyberattacks.

The main goals of a Laravel Security Audit:

Identify Laravel Vulnerabilities: Detect security flaws such as SQL injections, XSS attacks, or weak authentication.

Enhance Security Measures: Reinforce built-in Laravel security features with additional safeguards.

Ensure Compliance: Meet legal and industry standards (e.g., GDPR, HIPAA, PCI-DSS).

Maintain User Trust: Protect user data and preserve application integrity.

A Laravel Security Audit is essential for maintaining a secure, compliant, and trustworthy application. It systematically uncovers vulnerabilities and ensures your application is fortified against modern threats. An official Laravel partner will have skilled developers and the necessary resources to deliver top-notch solutions. Acquaint Softtech is one such Laravel development company.

We have over 10 years of experience delivering feature-rich and secure Laravel applications. We are a software development outsourcing company in India with a dedicated team of Laravel developers.

Laravel Security Protocols

Laravel prioritizes security by incorporating several protocols and best practices to protect web applications from vulnerabilities. This is further verified after the release of version 11, where many more security features were introduced. Below is a comprehensive overview of Laravel's security protocols:

Authentication and Authorization

Protection Against SQL Injection

Cross-Site Scripting (XSS) Protection

Cross-Site Request Forgery (CSRF) Protection

Secure File Uploads

Data Encryption

Session Security

HTTPS and HSTS

API Security

Error and Exception Handling

Secure Storage of Environment Variables

Dependency Management

Disable Unused Features

Logging and Monitoring

Common Laravel Security Audit Issues

Laravel is a secure PHP framework. However, it is not uncommon for security vulnerabilities to develop as a result of bad configuration or improper usage of a feature. Some of the common issues found during Laravel security audits include:

Insufficient input validation

Missing subresource integrity (SRI)

Insufficient rate limiting

Cross-site scripting (XSS)

Outdated & vulnerable dependencies

Insecure function use

Missing security headers

Missing content security policy (CSP)

Missing authorization

Exposed API keys & passwords

Security Audit Process

Set up the Scope of the Audit: The first step in a Laravel security audit is defining its scope. This includes:

Identifying Critical Areas:

Authentication and authorization mechanisms

Input validation and sanitization

Application and server configuration

Data encryption and storage

API endpoints and integration

Understanding the Application Architecture:

Documenting the architecture and dependencies

Mapping data flow within the application

Determining the Audit Type:

Black-box testing: Testing without access to the source code.

White-box testing: Testing with full access to the source code.

Gray-box testing: A combination of both approaches.

Setting Goals:

Identify and mitigate Laravel vulnerabilities.

Ensure compliance with legal and regulatory requirements.

Establish a baseline for ongoing security practices.

Reviewing the Laravel Environment Configuration:

Laravel's .env file is critical for managing environment-specific configurations, but it can also become a security risk if misconfigured.

Checklist for Environment Configuration:

Ensure the .env file is not accessible publicly. Misconfigured servers can expose this file, revealing sensitive credentials.

Use strong, randomly generated application keys (APP_KEY) to secure sessions and encrypted data.

Disable debugging mode (APP_DEBUG=false) in production environments to prevent sensitive information exposure.

Tools Used:

Manual inspection of configuration files

Automated tools like Laravel DebugBar for debugging issues

Examining Authentication and Authorization:

Authentication and authorization mechanisms are the backbone of application security. A robust implementation minimizes the risk of unauthorized access.

Authentication:

Verify the implementation of Laravel’s built-in authentication scaffolding.

Ensure secure password hashing using bcrypt or Argon2.

Enforce strong password policies and implement multi-factor authentication (MFA) if possible.

Authorization:

Review roles and permissions using Laravel policies and gates.

Check for privilege escalation vulnerabilities.

Session Security:

Use HTTPS to secure cookies.

Enable SameSite and HttpOnly attributes for cookies.

Configure session timeouts and token regeneration.

Tools Used:

Manual code review

Laravel’s built-in Auth and Gate facades for validation

Input Validation and Data Sanitization:

Unvalidated or unsanitized user input is a leading cause of security vulnerabilities, including SQL injection, XSS, and command injection.

Best Practices:

Validation Rules:

Use Laravel’s request validation methods ($request->validate) to ensure inputs meet specified criteria.

Avoid custom validation where built-in methods suffice.

Sanitization:

Escape output using Laravel’s Blade templating engine ({{ $variable }}) to prevent XSS.

Use e() for escaping dynamic content in non-Blade contexts.

SQL Injection Prevention:

Use Laravel’s query builder or Eloquent ORM to avoid directly executing raw queries.

Parameterize queries to eliminate injection risks.

File Upload Security:

Restrict allowed file types.

Store uploaded files outside the web root.

Validate file size and sanitize file names.

Tools Used:

OWASP ZAP for input validation testing

Laravel-specific tools like Larastan for static analysis

Reviewing Encryption and Data Storage Practices:

Sensitive data such as passwords, tokens, and personal information must be encrypted at rest and in transit.

Encryption:

Ensure sensitive data is encrypted using Laravel’s Crypt facade.

Use secure algorithms like AES-256 for encryption.

Database Security:

Use prepared statements and ORM to protect against SQL injection.

Regularly update database credentials and use role-based access control (RBAC) for database users.

Logs:

Avoid logging sensitive information in production.

Rotate logs periodically to prevent unauthorized access.

Tools Used:

Laravel’s encryption and hashing tools

Database auditing tools like MySQL Enterprise Audit

Analyzing API Security:

APIs are a common attack vector and require careful attention during a security audit.

Key Areas to Examine:

Authentication:

Use token-based authentication (e.g., Laravel Passport or Sanctum).

Secure API tokens using strong hashing algorithms.

Rate Limiting:

Protect against brute force attacks using Laravel’s rate-limiting middleware.

Input Validation:

Validate and sanitize all API inputs to prevent injection attacks.

CORS Policies:

Restrict origins to trusted domains using Laravel’s CORS middleware.

Error Handling:

Ensure error responses do not expose sensitive information.

Tools Used:

Postman for manual API testing

Automated scanners like OWASP ZAP for API vulnerability testing.

Securing Third-Party Dependencies:

Laravel applications often rely on third-party packages and libraries. Unmaintained or insecure dependencies can introduce vulnerabilities.

Best Practices:

Dependency Management:

Use Composer to manage dependencies.

Regularly update dependencies to their latest stable versions.

Review Package Integrity:

Verify package integrity using checksums.

Avoid installing unnecessary or unverified packages.

Monitoring Tools:

Use tools like Snyk or Dependabot to monitor for Laravel vulnerabilities in third-party packages.

Tools Used:

Composer security audit (composer audit)

Dependency scanners like Snyk

Conducting Penetration Testing:

Penetration testing simulates real-world attacks to uncover vulnerabilities in the application.

Techniques Used:

Black-box testing to simulate an attacker without prior knowledge of the system.

Exploiting common vulnerabilities like XSS, CSRF, and SQL injection.

Testing for logic flaws and business logic vulnerabilities.

Tools Used:

OWASP ZAP and Burp Suite for penetration testing

Kali Linux tools like SQLMap for SQL injection testing

Ensuring Compliance and Reporting:

Security audits must align with relevant compliance standards such as GDPR, HIPAA, or PCI-DSS.

Compliance Checklist:

Perform data protection impact assessments (DPIAs) where applicable.

Verify adherence to data retention policies.

Ensure encryption and logging practices meet regulatory requirements.

Reporting:

Provide a detailed report outlining identified vulnerabilities, their severity, and recommendations for mitigation.

Use scoring systems like CVSS to prioritize vulnerabilities.

Tools Used:

Compliance frameworks like NIST Cybersecurity Framework

Reporting templates with vulnerability severity matrices.

Implementing Remediation Strategies:

Addressing identified vulnerabilities is as important as finding them. A phased remediation strategy ensures all issues are resolved effectively.

Prioritization:

Critical vulnerabilities, such as exposed secrets or SQL injection risks, must be addressed immediately.

Medium and low severity issues can be scheduled for later sprints.

Post-Fix Testing:

Re-test the application to verify that fixes have resolved the vulnerabilities.

Conduct regression testing to ensure no new issues have been introduced.

Tools Used:

Automated testing suites integrated with CI/CD pipelines

Regression testing tools like PHPUnit for Laravel

Establishing an Ongoing Security Plan:

A one-time security audit is not enough. Continuous monitoring and periodic audits are essential for long-term security.

Ongoing Practices:

Regularly update Laravel and its dependencies.

Implement a robust security training program for developers.

Set up automated alerts for suspicious activities using monitoring tools like Laravel Telescope.

Proactive Measures:

Perform regular backups and disaster recovery testing.

Use Web Application Firewalls (WAFs) to block malicious traffic.

Boost Laravel Security

Laravel is the perfect choice for a wide range of applications. However, businesses need to be aware that securing their Laravel application is an ongoing and circular process. It will require the help of an expert team of Laravel developers. Businesses can take advantage of the Laravel development services we offer at Acquaint Softtech.

We are one of the few firms in Asia that is an official Laravel partner. Hence, besides having the necessary resources, you will also hire Laravel developers who always implement the security best practices.

For example, we never take any shortcuts and continuously monitor the security status of the application. Our applications are developed with a high-security principle of the least privileges. We grant sufficient user permission for the application to function but no more than necessary.

Conclusion

A Laravel security audit is an essential step in building secure and reliable web applications. Regular audits, combined with a security-first mindset, empower businesses to stay ahead of evolving threats and maintain user trust in their applications.

Address Laravel vulnerabilities, ensure compliance, and implement current security practices. This is the ideal method to protect sensitive data and safeguard their applications from cyber threats.

However, an in-depth security audit of a Laravel application requires a comprehensive approach. Hire remote developers from a professional firm like Acquaint Softtech to achieve this.

This approach involves authentication, data protection, input validation, session management, and more. We can significantly enhance the security posture of your Laravel application and protect it against common vulnerabilities and threats. Regular audits and updates are essential to maintaining a secure environment as new threats emerge.

#Laravel Security Audit #Security Audit #Laravel Security #Hire Laravel Developers

0 notes

ejbarnes · 5 months ago

Text

CW: Suicide I need to add: 1. While in college, I spent a summer (1978) copyediting for Physical Review, a physics journal (or group of them -- there were Phys. Rev. A, B, C, and Phys. Rev. Lett). One of the things I saw was how publication of papers was systematically delayed if "pub fees" (publication fees) were not paid. Staff would literally put the folder with the marked-up MS into a drawer in a filing cabinet, the drawer designated for items delayed by nonpayment of pub fees. Once the payment was received, they'd go into another drawer for papers slated for publication.

2. Several years of my high-tech career were spent programming for Lexis-Nexis, a company specializing in services for the legal profession, including access to their galactically massive database of caselaw needed for legal citation. In my earliest days there, Lexis-Nexis was bought by what was then called Reed-Elsevier (now RELX), the publication giant whose subsidiary Elsevier is a major villain mentioned in Doctorow's post. I will not go into depth about the gross mismanagement of the layoff they perpetrated on our division of Lexis-Nexis, which had originally been an independent software company. I vaguely recall already telling that story here, probably in response to another Corey Doctorow article, that one likely about enshittification in the software sector. RELX still owns Lexis-Nexis (now LexisNexis).

3. RELX (formerly Reed-Elsevier) owns RX, formerly Reed Exhibitions, the world's largest exhibition company. One of its divisions is ReedPop, which runs New York Comic Con and the PAX gamer conventions.

MIT libraries are thriving without Elsevier

I'm coming to BURNING MAN! On TUESDAY (Aug 27) at 1PM, I'm giving a talk called "DISENSHITTIFY OR DIE!" at PALENQUE NORTE (7&E). On WEDNESDAY (Aug 28) at NOON, I'm doing a "Talking Caterpillar" Q&A at LIMINAL LABS (830&C).

Once you learn about the "collective action problem," you start seeing it everywhere. Democrats – including elected officials – all wanted Biden to step down, but none of them wanted to be the first one to take a firm stand, so for months, his campaign limped on: a collective action problem.

Patent trolls use bullshit patents to shake down small businesses, demanding "license fees" that are high, but much lower than the cost of challenging the patent and getting it revoked. Collectively, it would be much cheaper for all the victims to band together and hire a fancy law firm to invalidate the patent, but individually, it makes sense for them all to pay. A collective action problem:

https://locusmag.com/2013/11/cory-doctorow-collective-action/

Musicians get royally screwed by Spotify. Collectively, it would make sense for all of them to boycott the platform, which would bring it to its knees and either make it pay more or put it out of business. Individually, any musician who pulls out of Spotify disappears from the horizon of most music fans, so they all hang in – a collective action problem:

https://pluralistic.net/2024/06/21/off-the-menu/#universally-loathed

Same goes for the businesses that get fucked out of 30% of their app revenues by Apple and Google's mobile business. Without all those apps, Apple and Google wouldn't have a business, but any single app that pulls out commits commercial suicide, so they all hang in there, paying a 30% vig:

https://pluralistic.net/2024/08/15/private-law/#thirty-percent-vig

That's also the case with Amazon sellers, who get rooked for 45-51 cents out of every dollar in platform junk fees, and whose prize for succeeding despite this is to have their product cloned by Amazon, which underprices them because it doesn't have to pay a 51% rake on every sale. Without third-party sellers there'd be no Amazon, but it's impossible to get millions of sellers to all pull out at once, so the Bezos crime family scoops up half of the ecommerce economy in bullshit fees:

https://pluralistic.net/2023/11/06/attention-rents/#consumer-welfare-queens

This is why one definition of "corruption" is a system with "concentrated gains and diffuse losses." The company that dumps toxic waste in your water supply reaps all the profits of externalizing its waste disposal costs. The people it poisons each bear a fraction of the cost of being poisoned. The environmental criminal has a fat warchest of ill-gotten gains to use to bribe officials and pay fancy lawyers to defend it in court. Its victims are each struggling with the health effects of the crimes, and even without that, they can't possibly match the polluter's resources. Eventually, the polluter spends enough money to convince the Supreme Court to overturn "Chevron deference" and makes it effectively impossible to win the right to clean water and air (or a planet that's not on fire):

https://www.cfr.org/expert-brief/us-supreme-courts-chevron-deference-ruling-will-disrupt-climate-policy

Any time you encounter a shitty, outrageous racket that's stable over long timescales, chances are you're looking at a collective action problem. Certainly, that's the underlying pathology that preserves the scholarly publishing scam, which is one of the most grotesque, wasteful, disgusting frauds in our modern world (and that's saying something, because the field is crowded with many contenders).

Here's how the scholarly publishing scam works: academics do original scholarly research, funded by a mix of private grants, public funding, funding from their universities and other institutions, and private funds. These academics write up their funding and send it to a scholarly journal, usually one that's owned by a small number of firms that formed a scholarly publishing cartel by buying all the smaller publishers in a string of anticompetitive acquisitions. Then, other scholars review the submission, for free. More unpaid scholars do the work of editing the paper. The paper's author is sent a non-negotiable contract that requires them to permanently assign their copyright to the journal, again, for free. Finally, the paper is published, and the institution that paid the researcher to do the original research has to pay again – sometimes tens of thousands of dollars per year! – for the journal in which it appears.

The academic publishing cartel insists that the millions it extracts from academic institutions and the billions it reaps in profit are all in service to serving as neutral, rigorous gatekeepers who ensure that only the best scholarship makes it into print. This is flatly untrue. The "editorial process" the academic publishers take credit for is virtually nonexistent: almost everything they publish is virtually unchanged from the final submission format. They're not even typesetting the paper:

https://link.springer.com/article/10.1007/s00799-018-0234-1

The vetting process for peer-review is a joke. Literally: an Australian academic managed to get his dog appointed to the editorial boards of seven journals:

https://www.atlasobscura.com/articles/olivia-doll-predatory-journals

Far from guarding scientific publishing from scams and nonsense, the major journal publishers have stood up entire divisions devoted to pay-to-publish junk science. Elsevier – the largest scholarly publisher – operated a business unit that offered to publish fake journals full of unreveiwed "advertorial" papers written by pharma companies, packaged to look like a real journal:

https://web.archive.org/web/20090504075453/http://blog.bioethics.net/2009/05/merck-makes-phony-peerreview-journal/

Naturally, academics and their institutions hate this system. Not only is it purely parasitic on their labor, it also serves as a massive brake on scholarly progress, by excluding independent researchers, academics at small institutions, and scholars living in the global south from accessing the work of their peers. The publishers enforce this exclusion without mercy or proportion. Take Diego Gomez, a Colombian Masters candidate who faced eight years in prison for accessing a single paywalled academic paper:

https://www.eff.org/deeplinks/2014/07/colombian-student-faces-prison-charges-sharing-academic-article-online

And of course, there's Aaron Swartz, the young activist and Harvard-affiliated computer scientist who was hounded to death after he accessed – but did not publish – papers from MIT's JSTOR library. Aaron had permission to access these papers, but JSTOR, MIT, and the prosecutors Stephen Heymann and Carmen Ortiz argued that because he used a small computer program to access the papers (rather than clicking on each link by hand) he had committed 13 felonies. They threatened him with more than 30 years in prison, and drew out the proceedings until Aaron was out of funds. Aaron hanged himself in 2013:

https://en.wikipedia.org/wiki/Aaron_Swartz

Academics know all this terrible stuff is going on, but they are trapped in a collective action problem. For an academic to advance in their field, they have to publish, and they have to get their work cited. Academics all try to publish in the big prestige journals – which also come with the highest price-tag for their institutions – because those are the journals other academics read, which means that getting published is top journal increases the likelihood that another academic will find and cite your work.

If academics could all agree to prioritize other journals for reading, then they could also prioritize other journals for submissions. If they could all prioritize other journals for submissions, they could all prioritize other journals for reading. Instead, they all hold one another hostage, through a wicked collective action problem that holds back science, starves their institutions of funding, and puts their colleagues at risk of imprisonment.

Despite this structural barrier, academics have fought tirelessly to escape the event horizon of scholarly publishing's monopoly black hole. They avidly supported "open access" publishers (most notably PLoS), and while these publishers carved out pockets for free-to-access, high quality work, the scholarly publishing cartel struck back with package deals that bundled their predatory "open access" journals in with their traditional journals. Academics had to pay twice for these journals: first, their institutions paid for the package that included them, then the scholars had to pay open access submission fees meant to cover the costs of editing, formatting, etc – all that stuff that basically doesn't exist.

Academics started putting "preprints" of their work on the web, and for a while, it looked like the big preprint archive sites could mount a credible challenge to the scholarly publishing cartel. So the cartel members bought the preprint sites, as when Elsevier bought out SSRN:

https://www.techdirt.com/2016/05/17/disappointing-elsevier-buys-open-access-academic-pre-publisher-ssrn/

Academics were elated in 2011, when Alexandra Elbakyan founded Sci-Hub, a shadow library that aims to make the entire corpus of scholarly work available without barrier, fear or favor:

https://sci-hub.ru/alexandra

Sci-Hub neutralized much of the collective action trap: once an article was available on Sci-Hub, it became much easier for other scholars to locate and cite, which reduced the case for paying for, or publishing in, the cartel's journals:

https://arxiv.org/pdf/2006.14979

The scholarly publishing cartel fought back viciously, suing Elbakyan and Sci-Hub for tens of millions of dollars. Elsevier targeted prepress sites like academia.edu with copyright threats, ordering them to remove scholarly papers that linked to Sci-Hub:

https://svpow.com/2013/12/06/elsevier-is-taking-down-papers-from-academia-edu/

This was extremely (if darkly) funny, because Elsevier's own publications are full of citations to Sci-Hub:

https://eve.gd/2019/08/03/elsevier-threatens-others-for-linking-to-sci-hub-but-does-it-itself/

Meanwhile, scholars kept the pressure up. Tens of thousands of scholars pledged to stop submitting their work to Elsevier:

http://thecostofknowledge.com/

Academics at the very tops of their fields publicly resigned from the editorial board of leading Elsevier journals, and published editorials calling the Elsevier model unethical:

https://www.theguardian.com/science/blog/2012/may/16/system-profit-access-research

And the New Scientist called the racket "indefensible," decrying the it as an industry that made restricting access to knowledge "more profitable than oil":

https://www.newscientist.com/article/mg24032052-900-time-to-break-academic-publishings-stranglehold-on-research/

But the real progress came when academics convinced their institutions, rather than one another, to do something about these predator publishers. First came funders, private and public, who announced that they would only fund open access work:

https://www.nature.com/articles/d41586-018-06178-7

Winning over major funders cleared the way for open access advocates worked both the supply-side and the buy-side. In 2019, the entire University of California system announced it would be cutting all of its Elsevier subscriptions:

https://www.science.org/content/article/university-california-boycotts-publishing-giant-elsevier-over-journal-costs-and-open

Emboldened by the UC system's principled action, MIT followed suit in 2020, announcing that it would no longer send $2m every year to Elsevier:

https://pluralistic.net/2020/06/12/digital-feudalism/#nerdfight

It's been four years since MIT's decision to boycott Elsevier, and things are going great. The open access consortium SPARC just published a stocktaking of MIT libraries without Elsevier:

https://sparcopen.org/our-work/big-deal-knowledge-base/unbundling-profiles/mit-libraries/

How are MIT's academics getting by without Elsevier in the stacks? Just fine. If someone at MIT needs access to an Elsevier paper, they can usually access it by asking the researchers to email it to them, or by downloading it from the researcher's site or a prepress archive. When that fails, there's interlibrary loan, whereby other libraries will send articles to MIT's libraries within a day or two. For more pressing needs, the library buys access to individual papers through an on-demand service.

This is how things were predicted to go. The libraries used their own circulation data and the webservice Unsub to figure out what they were likely to lose by dropping Elsevier – it wasn't much!

https://unsub.org/

The MIT story shows how to break a collective action problem – through collective action! Individual scholarly boycotts did little to hurt Elsevier. Large-scale organized boycotts raised awareness, but Elsevier trundled on. Sci-Hub scared the shit out of Elsevier and raised awareness even further, but Elsevier had untold millions to spend on a campaign of legal terror against Sci-Hub and Elbakyan. But all of that, combined with high-profile defections, made it impossible for the big institutions to ignore the issue, and the funders joined the fight. Once the funders were on-side, the academic institutions could be dragged into the fight, too.

Now, Elsevier – and the cartel – is in serious danger. Automated tools – like the Authors Alliance termination of transfer tool – lets academics get the copyright to their papers back from the big journals so they can make them open access:

https://pluralistic.net/2021/09/26/take-it-back/

Unimaginably vast indices of all scholarly publishing serve as important adjuncts to direct access shadow libraries like Sci-Hub:

https://pluralistic.net/2021/10/28/clintons-ghost/#cornucopia-concordance

Collective action problems are never easy to solve, but they're impossible to address through atomized, individual action. It's only when we act as a collective that we can defeat the corruption – the concentrated gains and diffuse losses – that allow greedy, unscrupulous corporations to steal from us, wreck our lives and even imprison us.

Community voting for SXSW is live! If you wanna hear RIDA QADRI and me talk about how GIG WORKERS can DISENSHITTIFY their jobs with INTEROPERABILITY, VOTE FOR THIS ONE!

If you'd like an essay-formatted version of this post to read or share, here's a link to it on pluralistic.net, my surveillance-free, ad-free, tracker-free blog:

https://pluralistic.net/2024/08/16/the-public-sphere/#not-the-elsevier

#monopolies #Elsevier #academic publishing

628 notes · View notes

zenphiautomation · 2 days ago

Text

Best Practices for Managing the Document Lifecycle

Effective management of the document lifecycle is critical to businesses that desire to improve their productivity, meet their legal requirements, and get maximum value from their resources. This way, best practices at each stage of creation, using, storing, securing, and disposing of records help businesses ensure data remains secure and is easily accessible to those who need it. In this article, we will explain what the Document Lifecycle is, as well as the best practices and challenges.

Understanding the Document Lifecycle

The document management life cycle identifies every phase that is encountered in the handling of the document, from its creation to its disposal. It guarantees that documents are processed in a way that makes a lot of sense, secure, and compliant as well. Awareness of each stage of the document life cycle, including generation, modification, categorization, storage, distribution, continual usage, archive, and final disposal, allows organizations to minimize document-related dangers and improve their work processes. Many factors affect the access and integrity of the data that needs to be maintained through proper lifecycle management.

Best Practices for Document Lifecycle Management

Creation and Initial Control

Standardized creation protocols are important to ensure consistency and accuracy. The use of templates and pre-defined formats ensures that all documents have the same look and feel. Data capture technologies, such as Optical Character Recognition (OCR), reduce manual entry errors and increase efficiency.

Editing, Review, and Approval

Implementing collaborative editing tools allows multiple stakeholders to review and edit documents at the same time. This can improve transparency while reducing turnaround times. Version control systems need to be robust to track changes and provide a history of document revisions, which is an important aspect of audit trails and historical accuracy.