Voice-First Technology Is About To Kill Advertising As We Know It | Forbes

Voice-First Technology Is About To Kill Advertising As We Know ItBrian Roemmele (expert); In Forbes; 2016-12.

rebuttal: there can be no ads in “voice first?”  Silly wrabbit. It will be like AM radio.  Want to turn on a light?  First listen to this ad.

Hardware Fingerprinting Using HTML5 | Nakibly, Shelef, Yudilevich

Gabi Nakibly, Gilad Shelef, Shiran Yudilevich; Hardware Fingerprinting Using HTML5; In Some Venue; 2015-03-11; 5 pages; arciv:1503.01408.


Device fingerprinting over the web has received much attention both by the research community and the commercial market a like. Almost all the fingerprinting features proposed to date depend on software run on the device. All of these features can be changed by the user, thereby thwarting the device’s fingerprint. In this position paper we argue that the recent emergence of the HTML5 standard gives rise to a new class of fingerprinting features that are based on the hardware of the device. Such features are much harder to mask or change thus provide a higher degree of confidence in the fingerprint. We propose several possible fingerprint methods that allow a HTML5 web application to identify a device’s hardware. We also present an initial experiment to fingerprint a device’s GPU.

Beauty and the Beast: Diverting modern web browsers to build unique browser fingerprints | Laperdrix, Rudametkin, Baudry

Pierre Laperdrix, Walter Rudametkin, Benoit Baudry; Beauty and the Beast: Diverting modern web browsers to build unique browser fingerprints; Technical Report hal-01285470v2, INRIA; 2016-03-14;; Also, in Proceedings of the 37th IEEE Symposium on Security and Privacy (S&P 2016), 2016-05, San Jose, United States; landing.


Worldwide, the number of people and the time spent browsing the web keeps increasing. Accordingly, the technologies to enrich the user experience are evolving at an amazing pace. Many of these evolutions provide for a more interactive web (e.g., boom of JavaScript libraries, weekly innovations in HTML5), a more available web (e.g., explosion of mobile devices), a more secure web (e.g., Flash is disappearing, NPAPI plugins are being deprecated), and a more private web (e.g., increased legislation against cookies, huge success of extensions such as Ghostery and AdBlock).

Nevertheless, modern browser technologies, which provide the beauty and power of the web, also provide a darker side, a rich ecosystem of exploitable data that can be used to build unique browser fingerprints.

Our work explores the validity of browser fingerprinting in today’s environment. Over the past year, we have collected 118,934 fingerprints composed of 17 attributes gathered thanks to the most recent web technologies. We show that innovations in HTML5 provide access to highly discriminating attributes, notably with the use of the Canvas API which relies on multiple layers of the user’s system. In addition, we show that browser fingerprinting is as effective on mobile devices as it is on desktops and laptops, albeit for radically different reasons due to their more constrained hardware and software environments. We also evaluate how browser fingerprinting could stop being a threat to user privacy if some technological evolutions continue (e.g., disappearance of plugins) or are embraced by browser vendors (e.g., standard HTTP headers).

(Cross-)Browser Fingerprinting via OS and Hardware Level Features | Cao, Song, Wijmans

New Fingerprinting Techniques Identify Users Across Different Browsers on the Same PC; ; In BleepingComputer; 2017-01-12.

Original Sources

Yinzhi Cao, Song Li, Erik Wijmans; (Cross-)Browser Fingerprinting via OS and Hardware Level Features; In Proceedings of the Network & Distributed System Security Symposium (NSDI); 2017-02; 15 pages.


Yinzhi Cao, Assistant Professor, Computer Science and Engineering Department, Lehigh University.

Separately noted.

Consistency in Non-Transactional Distributed Storage Systems | Viotti, Vukolić

Paolo Viotti (URECOM), Marko Vukolić (IBM); Consistency in Non-Transactional Distributed Storage Systems; arciv:1512.00168; 2016-04-12; 46 pages.


Over the years, different meanings have been associated to the word consistency in the distributed systems community. While in the ’80s “consistency” typically meant strong consistency, later defined also as linearizability, in recent years, with the advent of highly available and scalable systems, the notion of “consistency” has been at the same time both weakened and blurred.

In this paper we aim to fill the void in literature, by providing a structured and compre- hensive overview of different consistency notions that appeared in distributed systems, and in particular storage systems research, in the last four decades. We overview more than 50 different consistency notions, ranging from linearizability to eventual and weak consistency, defining precisely many of these, in particular where the previous definitions were ambiguous. We further provide a partial order among different consistency predicates, ordering them by their semantic “strength”, which we believe will reveal useful in future research. Finally, we map the consistency semantics to different practical systems and research prototypes.

The scope of this paper is restricted to non-transactional semantics, i.e., those that apply to single storage object operations. As such, our paper complements the existing surveys done in the context of transactional, database consistency semantics.

Making Privacy Concrete (Three Words Not Usually Found Together) | NSTIC

Making Privacy Concrete (Three Words Not Usually Found Together); nstic a.k.a. Sean Brooks, Mike Garcia, Naomi Lefkovitz, Suzanne Lightman, Ellen Nadeau; In Some Blog of Gov Delivery; 2017-01-04.

NIST-IR 8062, An Introduction to Privacy Engineering and Risk Management, Sean Brooks, Mike Garcia, Naomi Lefkovitz, Suzanne Lightman, Ellen Nadeau; NIST Internal Report; National Institute of Standards and Technology (NIST), Department of Commerce, United States, 2017-01; 49 pages; NIST.IR.8062

Table of Contents

Executive Summary

  1. Introduction
    1. Purpose and Scope
    2. Audience
    3. Organization of this Document
  2. An Engineering Approach to Privacy
    1. The Relationship Between Information Security and Privacy
    2. Privacy Problems and Systems
    3. Defining Privacy Engineering
      1. 1 The Applicability of Systems Engineering
      2. 2 The Utility of Risk Management
  3. Components for Privacy Engineering in Federal Systems
    1. Introducing Privacy Engineering Objectives
      1. Privacy Engineering Objectives and the FIPPs
        1. 1.1 Predictability
        2. 1.2 Manageability
        3. 1.3 Disassociability
    2. Introducing a Privacy Risk Model
      1. 1 Privacy Risk Factors
      2. 2 Privacy Risk Characteristics
        1. 2.1 Data Actions
        2. 2.2 PII
        3. 2.3 Context
  4. Roadmap for Federal Guidance for Privacy Engineering and Risk Management


Appendix A: NIST Development Process
Appendix B: Glossary
Appendix C: Acronyms
Appendix D: References
Appendix E: Examples of Non-Data Breach Privacy Concerns
Appendix F: The Fair Information Practice Principles (FIPPs)

OpenRTB v2.5 | IAB

OpenRTB 2.3.1 (PDF)
Provides an update to the specification addressing two typos:

  • Section 3.2.13 – In the user object, the buyer ID attribute has been corrected to “buyeruid.”
  • Section 4.4 – The ${AUCTION_BID_ID} macro has been corrected to be substituted with the “BidResponse.bidid” attribute.
OpenRTB 2.3 (PDF)
The OpenRTB 2.3 specification provides support for native ads. This is one of the most significant updates to OpenRTB as it allows for native ads to be targeted, optimized, and transacted on programmatically, reducing workload on publishers and advertisers alike. Release highlights include:

  • Native ad placements must be included directly into the impression object in order to be passed through the bidstream.
  • Allows for the inclusion of metadata (title, urls, data, img files) in the native request. The buy side now has the ability to describe the unit that’s being bid on and the supply side is able to define which fields are available and required in order to assemble the native ad.
  • Updates to the style of the document including improved diagrams and revamped table format to support the continued commitment to OpenRTB.
OpenRTB 2.2 (PDF)
OpenRTB 2.2 provided for improved PMP and non-intentional traffic support. With bot traffic becoming an increasing concern to both the buy and sell sides, OpenRTB 2.2 allows for all parties to be able to provide real-time feedback on ads to determine and block non-human traffic. Release highlights include:

  • Support to the allow for the differentiation of secure and nonsecure inventory.
  • Exhaustive Deal ID support for Private Marketplaces
  • Improved backing for new types of mobile and video inventory
  • Ability for buyers to alert sellers in real time about suspected bot traffic
  • COPPA regulation support
OpenRTB 2.1(PDF)OpenRTB 2.1 provided for improved VAST video, tablet and location targeting support. Release highlights include:

  • IAB Tier-2 category support
  • Recognition of tablet inventory
  • VAST video across RTB;  the video object must represent an impression as either banner, video or both
  • Location source support; differentiation of GPS derived and zip code value targeting
OpenRTB 2.0(PDF)OpenRTB 2.0 provided unified support for display, mobile, and video capabilities. This was a significant step forward for programmatic as allows for the harmonization of mobile and desktop advertising. Release highlights include:

  • VAST ad unit support
  • Improved geographical data definition
  • Increased cross-channel support for mobile and desktop through a common API language.
  • Improved 3rd party data segment support for audience targeting
  • Enhanced attribution support; inclusion of device IDs in mobile & mobile app parameters

Surviving on a Diet of Poisoned Fruit Reducing the National Security Risks of America’s Cyber Dependencies | Danzig (CNAS)

Richard J. Danzig; Surviving on a Diet of Poisoned Fruit Reducing the National Security Risks of America’s Cyber Dependencies; Center for a New American Security; 2014-07; 64 pages; landing.

Executive Summary

Digital technologies, commonly referred to as cyber systems, are a security paradox: Even as they grant unprecedented powers, they also make users less secure. Their communicative capabilities enable collaboration and networking, but in so doing they open doors to intrusion. Their concentration of data and manipulative power vastly improves the efficiency and scale of operations, but this concentration in turn exponentially increases the amount that can be stolen or subverted by a successful attack. The complexity of their hardware and software creates great capability, but this complexity spawns vulnerabilities and lowers the visibility of intrusions. Cyber systems’ responsiveness to instruction makes them invaluably flexible; but it also permits small changes in a component’s design or direction to degrade or subvert system behavior. These systems’ empowerment of users to retrieve and manipulate data democratizes capabilities, but this great benefit removes safeguards present in systems that require hierarchies of human approvals. In sum, cyber systems nourish us, but at the same time they weaken and poison us.

The first part of this paper illuminates this intertwining. The second part surveys the evolution of strategies to achieve greater cybersecurity. Disadvantaged by early design choices that paid little attention to security, these strategies provide some needed protection, especially when applied collectively as a coordinated “defense in depth.” But they do not and never can assure comprehensive protection; these strategies are typically costly, and users will commonly choose to buy less security than they could obtain because of the operational, financial or convenience costs of obtaining that security.

Three other factors, discussed in Section V, amplify cyber insecurity. First, the cyber domain is an area of conflict. Cyberspace is adversarial, contested territory. Our adversaries (including criminals, malevolent groups and opposing states) co-evolve with us. The resulting ecosystem is not static or stable. Second, the speed of cyber dissemination and change outpaces our recognition of problems and adoption of individual and societal safeguards to respond to them. Protective actions are likely to continue to lag behind security needs. Third, in cyberspace America confronts greater-than customary limits to U.S. government power because of the global proliferation of cyber capabilities, cyber attackers’ ability to remain outside the United States even while operating within the country’s systems and our likely inability, over the long term, to avoid technological surprise. Two-thirds of a century of technological dominance in national security matters has left the United States intuitively ill-prepared for technology competitions that it probably will not continue to dominate and in which there is a high likelihood of surprise.

What then is to be done? The concluding part of this paper does not attempt to recapitulate or evaluate efforts now extensively debated or in progress. It focuses instead on recommending initiatives that deserve fresh attention from U.S. government decision-makers. These include:

  1. Articulate a national security standard defining what it is imperative to protect in cyberspace. The suggested standard is: “The United States cannot allow the insecurity of our cyber systems to reach a point where weaknesses in those systems would likely render the United States unwilling to make a decision or unable to act on a decision fundamental to our national security.” A more stringent standard may later be in order, but this standard can now secure a consensus, illuminate the minimum that the United States needs to do and therefore provide an anvil against which the nation can hammer out programs and priorities.
  2. Pursue a strategy that self-consciously sacrifices some cyber benefits in order to ensure greater security for key systems on which security depends. Methods for pursuing this strategy include stripping down systems so they do less but have fewer vulnerabilities; integrating humans and other out-of-band (i.e., non-cyber) factors so the nation is not solely dependent on digital systems; integrating diverse and redundant cyber alternatives; and making investments for graceful degradation. Determining the trade-offs between operational loss and security gain through abnegating choices will require and reward the development of a new breed of civilian policymakers, managers and military officers able to understand both domains.
  3. Recognize that some private-sector systems fall within the national security standard. Use persuasion, federal acquisition policies, subsidy and regulation to apply the abnegating approach to these systems. While doing this, reflect an appreciation of the rapidity of cyber change by focusing on required ends while avoiding specification of means. Refrain from regulating systems that are not critical.
  4. Bolster cyber strategic stability between the United States and other major nation-states by seeking agreement on cyber constraints and confidence-building measures. As an early initiative of this kind, focus on buttressing the fragile norm of not using cyber as a means of physical attack between China, Russia and the United States.
  5. Evaluate degradation in the sought-after certainties of mutually assured destruction (MAD) as a result of uncertainties inherent in cyber foundations for nuclear command, control and attack warning. If we are moving to a regime of mutually unassured destruction (MUD), suggest to China and Russia that we are all becoming less secure. Then pursue agreements that all parties refrain from cyber intrusions into nuclear command, control and warning systems.
  6. Map the adversarial ecosystem of cyberspace in anthropological detail with the aim of increasing our understanding of our adversaries and our own incentives and methods of operation.
  7. Use the model of voluntary reporting of near-miss incidents in aviation to establish a data collection consortium that will illuminate the character and magnitude of cyber attacks against the U.S. private sector. Use this enterprise as well to help develop common terminology and metrics about cybersecurity.
  8. Establish a federally funded research and development center focused on providing an elite cyber workforce for the federal government. Hire that workforce by cyber competition rather than traditional credentials, and promote, train, retain and assign (including to the private sector) that workforce by standards different from those currently used in federal hiring.