to keep federal investigators away from expeditions and their data. unfortunately for us and google our laws are on the side of the government said that's the problem for the government and not for google and this is an important part. we become dependent on companies beating well. we become dependent demanding the company's we use in our lives treat us well and responsible that we forget sometimes it's not up to them. the fact is our leaders wrote some bad laws that not only give

investigators way too much power that had no real oversight and accountability and that didn't have a long ago and doesn't seem to be changing for the better in recent months either. but on top of that, google isn't the only private company in the chain. comcast and at&t and verizon and time warner are all a part of the surveillance system and keep the date on what we do as well. if you work for a university the keep logs of much of what you do as well and sometimes the purge will all but sometimes they don't. right now the government is on a big effort to get internet service providers to seize purging the law and they want to have a record the ortiz for investigation and data mining

and so the companies don't actually want to be part of that, they don't want the responsibility toward the expense so it's not like the defending our interest they are defending their own interest to just evans most of them do want to protect us if the camp. the rather be on our side than the government not out of love. it's actually out of concern for having too much hassle nonetheless we are losing in those companies. so you're absolutely right to be concerned that affect any of us can get snagged in some sort of expedition. it's too easy to come up with what are called false positives in the data and analysis and we've already seen the case of innocent people dragged into that situation to extricate themselves from because they have the wrong data points in the system. that is a much bigger problem. i'm not ready to write that book. i'm angry enough but i'm not qualified enough to write that book.

now, i'm not antigoogle but why am against is our own faith based increase of google and that's why i think there will be times and privacy is one of these areas there are times when we might want to and i do want to invoke the power of the state to restrict the information that companies can hold about us and the manner in which they hold. that's important and it's going to be more important every day. that's an argument we need to have it has to occur at a better level than trust us we've never done you wrong. that's where i'm coming down. we need to be more responsible engaged citizens and users and we do want to use the power that people have which at times involves the state to take care of our interest. and google scholar was a neat

idea that came out of this policy that google has where the let employees then one day a week, 20% working on projects that don't serve the bottom line that are not about their prime project and a couple of folks decided there's all this literature that's really helpful and might be really valuable to people outside the environment. i get access to this amazing information to the scholarly journals by working for the university but if you don't work for the university or go to the university you are out of luck. a standard doesn't bring this up. the invented google scholar and got permission from the publishers to come through and let them index their information to present these articles. if you have used it to know you are not in the university environment you have to pay ultimately for the article that you find but at least you can find the article. so that's great and that is

super up to a point. but again it's how you do it. how the do the search system for one thing. because there by its built into that search engine to read one thing that the articles is they don't wink to each other. if i write a scholarly article, as i have and my friend jonathan here whose mother professor but it's a scholarly article if they are not the same subject if we set each other in the footnotes there is no electronic link, no hyperlink light on the web and that is the magic thing they follow so what is it that makes them rank one result over another? nobody knows and i used enough to know that it's not dependable. you lose a lot of stuff and miss a lot of stuff and if you do the same search a week later you get different results. the instability is maddening as someone who needs to pay attention to where articles are. if you do in exact title search for author you generally find when you want, but if you are

just grazing around a subject area its mad. better than nothing but poorly designed. it doesn't make google any money they are not likely to make it better. i tell my students especially graduate students starting with google scholar is fine but don't stop there. there will be a lot of articles that they do not show you and the only way to do that is to walk through the index available in the library. but again you have to be affiliated at the university to get that level of access and that is a shame. that should be on the agenda of likely human knowledge project, this plan to give everyone decent access. yes, sir. >> i want to make a comment about getting access to the browsing habits and whatever. i thought at this point i'm not really sure but i thought from my friend that the federal

government has a subpoena control or request. i thought i was a pretty standard situation at this point. >> what happens right now [inaudible] the requires no oversight. that's an fbi agent saying i want to do this and not having the power to compel someone like a bookstore to hand over records of what people have purchased, but it also has it a built in so that the subject of the security letter is not allowed -- the firm that is handed the letter isn't allowed to tell the subject of the investigation of its existence so you don't get to defend yourself. >> that's part of the patriot act? >> yes and no. the national security letter sar but there are other elements of

their investigative power that come from their earlier law in the clinton year and basically what we have now is a system in which if you are a really bad person doing really bad things you don't have to worry that this powerful investigative power because he will use strong encryption in a really smart way because it doesn't take that much investment so the bad people in the world are totally escapes in the surveillance. it's just a dumb people and you've read about them, they got arrested for being dumb coming up plans the were never going to work because they were too dumb to use in corruption and used e-mails that forged their plans and they get busted and everybody cheers but we have a situation that people want to do bad things are basically outside of the power of law so the fbi has to show it's doing something in up snagging people who are not that dangerous. >> i was thinking more of the browsing a pattern where people

would go and information. it's not a question of sending the problem intercepting the messages and reading them, that kind of thing you're talking about with encryption but as far as you know, tracking patterns of anyone which are maintained in a small so where are the people going to go with their browsers, what you're doing, not necessarily in addition to the information coming back to them, but it's a question of the motion and how were on the net. they are also concerned about that like a person wants to say in afghanistan or something it's very important for the cia to know that. >> they could get into the server and say i think what's happening right now with some of the isp like at&t and comcast

they are fighting i think the government accessing those for the web service themselves and that's a very contemporary issue. >> all of this goes above and beyond the service which is what i concern myself with. i think there is a much larger challenge in enhancing security and jobs and i don't think we are serving either of those will in the current system but again that's another but i haven't written and it's probably not the subject i should be addressing right out here on c-span. yes? >> you talk about google being a young company can you talk about its life span in human terms which doesn't seem terribly accurate. a restaurant is 12-years-old is

a very old and much for one and given your comment about how fast things change, i know it just seems disingenuous to me to compare it to an adolescent because a 12-year-old human being is an adolescent so lives wondering if you would comment in company terms where does it go and again is the length of its life even a relevant issue? >> you are right. in internet company years it is actually quite old and established that that speaks to my point i think in a stronger way than my cute way of expressing earlier and by that i mean because internet time is so compressed 12 years is a time that demonstrates its power and success to read it speaks well to its ability to thrive and he could look at it as balancing and quarterly reports as well. the environment shifts so

quickly into the nature of the value chips quickly and internet company years or so compressed that for that reason we can't expect it at 20 to resemble what is at 12th. general motors has been around 75 years and that's impressive but it's not what it was as a that's a long company but it's in an industry that builds things that last and what of the government and make sure it had subsidies not just lately. that is a game to lead to different game so that industry has a different time compression factor than the internet industry. while you are right i wanted to really compare it to the older institutions with deep roots that are ultimately i think the proper information system.

libraries and universities and not just limited but the sense of the collective culture, this notion devotee we should have a diversity of interests and we should respect the gather wisdom of these institutions and the people who work there and not just be dazzled. that was my point. yes, sir. >> i am curious what you see as the biggest danger or threat it poses in a particular environment. >> it's cheap or free in universities right now are under such pressure to do with the can for almost nothing so most universities i know of are now considering the haven't already shifting their e-mail hosting to google letting google host their e-mails and with students if not staff and faculty and what's going on with that is basically google gets customers for life a student graduates and wants to keep that e-mail consistent because he or she already has a lot of job search information on

that for instance that person is going to remain a google customer so it is a nice trick for them. but nothing really sleazy about it. the danger of course is that universities are supposed to keep the highest level of privacy respect for their students and that's compromise wants to shift important information to a third party. and i'm not convinced that in that instance and instances where professors are being urged to use google documents service in class's and as a part of the courseware. in those cases i'm not convinced universities are looking out for the rest interest. fearing for the chief and the ec and not necessarily building a proper safeguard for the negotiation because there is almost no reason to negotiate for someone that's giving you something for free but that is in the real world someone is trying to give you something for free on the street he should be aware and negotiating because that is until it is working in

the university's right now. >> any record of the students' grades like a paper that's been greeted or comments about the performance or recommendation letters i happen to write for a student are not supposed to be distributed beyond the authorized recipient. if i write a recommendation letter in which i will often say how the student perform to my class only the riss of the end of that with the student's permission is allowed to read and the student has to waive the right to read it him or herself legally according to the wall and any great report can only be shared with the student i can't even tell parents that the grades are which drives them crazy but that's important because you never really know who you were dealing with on the other side of the phone. so respected that sort of relationship and treating students as adults is an important part of the culture of our institution and federal law. and i am afraid we are letting it slip in different ways when we invite facebook into the classroom and youtube, we are

encouraged to do increasingly, we run a lot of risks and i don't think that we've got the ball through. islamic you don't really want to touch on the idea like as the resurgence of how the fbi gets the reformation is kind of weak, but other than just using the library and other sources, how can we manipulate using the information they get without just stopping using it? to meet you can go to the privacy settings and come up with a privacy let level but when you do that you limit the functionality of a lot of it services. the other thing is to just know if you are aware everything you tied into the google search box is used in some way either by associating it with you in some we were collectively as a part of your community you might actually be a little careful about how to construct a search. you might want to turn off the ability for google to follow you for certain searches and turn it back on when you are doing

innocent searches or might not be misconstrued. there are destined clever ways to use google, the tools to give but the problem is the defaults are set and always set for the maximum vacuum information rate puissance google wants you to be all pretty comfortable and not suspicious and therefore willing to give it everything to be used in every way and shared as widely as possible the default is always maximum. it's up to us on fortunately to train ourselves to be wary come to be careful, to worry and then take action. i think this is the wrong way to have a system and i wish that were law would actually get so that the companies have to convince us to turn on the spigot the companies have to say by the way if you let us collect following information we will give you a better service and this is what it will be. that's an honest transaction but to have the default on maximum and help us have to guess what we should set it to, that's

actually not three honest small company that claims to be responsible to be with us a think it's dishonest. yes? >> helm google response to and reacts to its competitors. facebook is an interesting mumbai brackett the publishing company, and so how it interacts with apple and amazon in particular interests me. last week or two weeks ago apple comes out and announces the will have magazines and charge publishers 30% and then they see we will do the same for 10%. how are the kind of responding to the marketplace? >> google has so many competitors. think about the fact they now have a mobile phone company so nokia is a competitor and so is apple, and so is blackberry so that's one market in much it has an intense competition. in the area of publishing what google is involved and build a

bookstore but it's also trying to offer sales and access to electronic versions using the system, and there's deals they negotiate with vendors and publishers are forming -- thorny. i'm not upset the university libraries are suckers and went to this corporate welfare deal without getting enough out of it if google months to do this and pretty cool things that make money from at what they are doing in the periodicals and with books is undermining the position that amazon has been for a number of years. amazon is the problem in the publishing industry. and believe me if i thought i could sell even one book i would write about amazon that they would make sure that i would never sell book.

amazon just wants to sell. that's actually part of the problem. they're good and efficient and by driving down the price considering every book to be a commodity rather than a discreet cultural item they do great harm to people that write books for a living and sell and publish books for a living. at the same time, people who read it's a great deal so that is the trade-off. it just so happens that we subsidize. we have huge government subsidies because if you buy my book in this store who have to apply to the copay sales tax and if you buy on amazon you don't have to pay sales tax. i didn't say that. we have government policies that make amazon richard and challenge stores like this and that's a shame and shouldn't happen because the case. amazon has had a heavy hand in all its negotiations with publishers. in dictating the terms of percentage the publishers get,

the royalties authors get in some cases and it's been trying to force down the price of electronic books to the commodity level of $9.99. it doesn't respect the fact publishing isn't that simple. every book isn't going to yield a return if it is priced $9.99 and if they get used to that and consider a free booklet there is 100 pages or four injured pages to be worth $9.99, then you are going to have a tough time selling books we know can't sell more than 502,000 copies. i'm talking of scholarly books mostly. we know they might feel or are likely and we saw a few thousand and the publisher but would sell 50,000. for books like that it's important to come up with a price plan that covers the money in the production process. but amazon wants to disrupt the system and treat all books like a commodity. what's happened with the competitors like google and now apple giving its bookstore and barnes and noble contributing

electronic books and interesting ways as well and that gets lost in the big newspaper coverage of the industry. you have now more players able to work and more competitive ways so publishers now have the ability of a rarely happens to say no to the amazon and that wasn't the case before that seven or eight months ago were a year ago. to say no to amazon in the book distribution because the google is involved because it is sent out to cash in a big way in the sale of books. that's the end of the major side project for google but always a side project and so the role in the publishing industry and with newspapers and magazines over time i think will be beneficial at least that's what looks today

to all of those industries and i'm happy to see them deal in a less coercive way. it to see them feel any less coercive way with the publishers because if i were just amazon, we would all be in trouble. >> i was interested when you were talking about everyone going to google and i noticed certainly with microsoft in the two areas slowly they are incrementally in encroaching on the control and i was wondering if people are becoming more aware were celebrating their searches so google doesn't have the whole industry and the battle you mentioned about higher education but it's a battleground in the call with windows and google 4012 information starting when they are little if you could comment on that. >> in terms of competition, in the united states, google has for the last couple of years

have 70% of the search activity and that number hasn't changed even as bing has gone up because most of the new users bing is bringing in as taken from yahoo! which is actually a partner in bing so it is a zero sum. it is taking some of the searches away from google ... but it's also growing not so much in the u.s. that tremendously across the world so for instance in western europe google is more than 90% of the searches in most western european countries to fit in places like the netherlands and portugal it's more than 96% and i don't know why. i don't know why it's more popular in europe even though it's held under greater suspicion there. we loved google in this country but we don't use it as much as the people that you're in europe. that's weird but that's happening. there's tremendous growth in africa and the arab nations and india where google has managed to come out with multiple

language search engines for the various 14 to 15 languages and india. it's come out with most of those. i lose count how many of them. no indian company had the audacity or the money to sink into that complicated linguistic challenge. google did it so there are a number of home grown search engines that have since failed because google can now not only to do through the language search or hindu but can take you through a really effective surge in the language of commerce which is english so the growth has been tremendous. the two places that google hasn't been able to grow is russia in the people's republic of china and it's not so strong in japan or south korea for different reasons. in south korea the government helped investor early on in a search engine that specialized in the search to get every

language is a different challenge because the syntax is different in every language so doing these relations among the words and terms is a complicated thing and google does well in english despite having one of its founders born in russia it's not that good in acrylic apparently and within russia there is a strong sense of nationalism so the homegrown search engines and russia are much more powerful and popular than google even though there's little web censorship. in the china of course you have the explicit web censorship and a huge relationship between google and people's republic of china and a number of search engines sponsored by or at least allowed to thrive by the government and there's other reasons the search engines do better in a china van google does and google is doing worse. that said, in the united states and think that google is more concerned about facebook than it is about bing. bing is out shopping. nobody goes to bing to research

climate change. you go to google to research climate change and that isn't always great but you go to bing to book an airline ticket. as it says in the commercials it's a decision engine. you will never see use bing to find out about dinosaurs. it's not going to happen. they are not interested in driving you that way because it's harder to make money that way, with dinosaur planks. but, for that reason, google is adjusting to what bing is doing by becoming better for shopping but more importantly, google must to keep you happy with the open web steel spend less time on facebook because that is a competitor. they are afraid facebook will manage to leverage all that information we get about the things we love and people we love and turn that into an efficient advertising machine. as of four facebook hasn't mastered it which is why our pages or filled with ads that are not appropriate to us much

of the time that everyone is pretty concerned and confident facebook will crack the code at some point soon. >> [inaudible] extensively in the last several years and it's quite prevalent. 64. appreciate it. thanks for coming. i will sign books. [applause] >> the book is available right at the front. thanks for joining us this afternoon.

we've seen formulations republicans concentrated in the hands of the commercial interest. so much so that they have led to the war the of lead to the

sectarian differences that led to the consequential effects. in our history there were some of the founding fathers who wanted to put the corporation and the constitution by way of subordinating at two human beings. that provision never got through. you see at that time they remembered and the new about the enormous power of east india company's which rules india is an absolute iron hand for many years with devastating human casualties they know about the hudson bay company. the modern form of the corporation was being established the textile mills some years after the constitution was ratified in new england the reference point was the menacing power of these gigantic corporations.

they didn't want a replay in proliferating the form in the country that they thought would succeed the constitutional structure in the usa. what is important here to realize is there has been a series of ways to fight back people who have fought back as workers and parents and by year's end shoppers and farmers, they fought back as women and slaves, and we have in our history the following ways they fought back. they fought back trying to use the vote. they fought back with regulation of these companies. you can see the farmer and worker fight back in the 19th century to create some of the foundation's that were standards

and protecting farmers in the banks and the real roads leading to the progress of movement. they fought back in the courts winning the case is now and then. some of them fought back as owners and shareholders and some of them as cooperatives, the new model that wasn't so commercially determined. it was owned by the farmers were by the consumers. some of them thought that by organizing rallies and demonstrations. you can see the occupy movement in that mode of the present time. some of them fought back by striking. some of them by forming unions. some of them fought back by whistleblowing inside these companies and taking the terrible information to the public to the prosecuting attorneys were legislators or

the media. now because they have fought back the attracted the attention of the various transformations of corporate structure and power. corporations have as their monomaniac all-purpose the abrogation of sales come the aggregation of profits, of the executive bonuses, and to do that they have to control capital, labor, technology to the we are not talking about small business. small business has its own main street accountability talking about these large multinational corporations of the 500 big ones operating and globally and the 1500 or so corporations and getting their way that is the terrain and the corporations are

counseled by the corporate attorneys. the brokers that are in the circle, the accountants the lobbyist and the shareholder controllers all of these are animated and to vetted by these corporate law firms which themselves are concentrated in perhaps three or 400 firms. and let's face it the are geniuses and concentrating power. the creativity of the modern corporate system is probably one of the greatest intellectual achievements. however nasty, however corrupt and disruptive in american history. there are always dynamically trying to figure out how to blunt, coopt, weaken, undermine

or even smear all of these ways i just mentioned to hold these corporations accountable, to hold them responsible. the more they succeed the more these corporations can be charged without delivering an adequate level of economic activity for the people since they control the gateway, since they control the capitol it the and technology. the evidence is truly overwhelming. in 1900 there were a lot of poor people in this country. in the year 2011 there are a lot of poor people in this country. there are a lot of the uninsured people for health care in this country. in 1900 there were a lot of the uninsured people through health care. the difference is the worker productivity has increased 25 told adjusted for inflation per worker. so why is there any poverty?

why do 15 million children go to bed hungry at night? why is poverty increasing even though the gross national product continues to increase? for two general reasons. one is power is so concentrated that the wrong things are being produced and the important things are not being produced in sufficiency. for example, will distributed health care is a focus on prevention. for example, adequate food supply with nutrition, for example, public transit of a modern and convenient style. the wrong things that are being produced, huge portions of the economy making money, the paper economy, speculating on top of speculation the derivatives that keep using other people's money

often pension money come peoples savings by speculators who often don't use their money, they use our money to generate the fees' that were unregulated. we have the right things not being produced, not the right things in the right way being produced environmentally recycling ways, respectful of descendants ways, respectable climate change from acid rain, land erosion, oxygen depletion in the ocean, etc.. the second aspect what is produced is very poorly distributed. this is the achilles heel of corporate capitalism, because no matter how much is produced in the aggregate and what isn't,

the one claim they have to legitimacy is they know how to grow an economy and how to build the gdp. they know how to aggregate capital and if they can't distribute it in a way to prevent people from slipping behind as they are now, they lose their legitimacy. the highest wage for the majority of workers in the country adjusted for inflation is 1973 it has been downhill ever since.

now, the author of "worm" talks about conficker, the worm that infected more than 7 million computers around the world between 2008 and 2009. mark bowden also wrote black hawk down which was turned into an oscar-winning film. mr. bowden spoke for a little over an hour of the computer history museum in mountain viewt californiaa. gpplause] >> good evening everyone. we are going to do this inoingdh several parts. i'm going to do a very briefa vi

introduction and then on mark ig going to do a brief reading andf then we are going to have a q&a and then i think the cards areog going to come up and we will make this as inclusive as possible. as possible. for the discussion tonight, mark bowden as a journalist to of course you probably all know is the author also of black hawk down and the basis for the movie directed by ridley scott. mark was a journalist first 1979 to 2003. he was of the philadelphia inquirer and for three seasons he covered football, is the right? >> that's right. islamic he's written for the new yorker, the atlantic, sports illustrated, of rolling stone, and i have to mention that wikipedia notes he read the electric kool-aid acid test.

>> i was struck as well but not to become a jobless -- journalist. >> t. j. camapana who to my mind is as close as you can get to the digital sherlock holmes. he's also the senior manager for the investigations of microsoft and digital crime unit and he gave me a sticker. before mark talks i want to just talk a little about our subject the history of the worm probably most of new art familiar with it came from a trends fiction novel written by john in 1975 in which he deposited something called the tapeworm, and the wonderful thing about that book, in particular with respect to

conficker is that he sketched out an offer of syrian regime that controlled the society from the omnipresent network, and the rebels used a tapeworm and the only way the regime could get rid of the worm is unless they lost control so that will bring up conficker on sure. you also probably all know the first real programs were expanded with in xerox park by the researchers john shocker and neither of them are here tonight. as john here? yes, good. i was looking at your paper in preparation for this and i thought what is the difference between a worm and a virus. we go back and forth on that because they both came from science fiction novels and so in

the original paper the worm is designed as simply a computation that lives on one or more machines so we can go from there and maybe getting to the distributed computing. but also in addition to the roots of the computing being here i want to talk about the roots of the computer crime. don parker isn't here by chance is he? of course. if we want to know about the roots i'm sure it is somewhere in the 1950's or 1960's i was thinking about the roots of network crime, and to the best of my knowledge and i'm certainly willing to be contradicted or corrected, but someone who was at the stanford allowed who has a great deal of authority told me he believed the first computer crime was a drug deal done in the late 1960's between mit students and

the stanford sales students. i would love that to be true. that is as much of the layout. why don't you take over. >> thank you, john. >> thank you for coming. i am particularly delighted to be on the stage with two guys that actually know what they are talking about. i am an old newspaper reporter as john mentioned, and about a fellow named jim who was the managing editor of the philadelphia inquirer over night named me the science writer. this was a terrific thing for me because i was working in a suburban tero and then i got to come down and work in the main office, and particularly during the 1970's the inquirer was one of the preeminent newspapers in america so overnight i was one

of the preeminent science writers in america all of which is of course completely unmerited. it turned out that in looking for a new science writer for the newspaper was going through the resume of everyone on the staff and he noticed that i subscribe to the scientific americans. [laughter] [applause] and that is how i became a science writer. the truth of the matter is i was an english major in college and i had started a subscribing to the scientific american precisely because i knew nothing about science and i thought so much of the modern world depends on science and technology to make an effort to understand these things and i think of that magazine had gotten a lot better but 20, 30 years ago i couldn't read any of those articles. they always had a little italicized introduction i could understand but as soon as the article started i was lost. so they had been building up in

my closet for about three or four years and little did i know that they would launch me to the height of american journalism, but i discovered in covering science in the years i did for the enquirer that my ignorance was actually very useful because i was writing stories for non-experts, and i was ignorant enough to ask of the truly ignorant question that needed to be asked so if i was interviewing a physicist at the university of pennsylvania i would ask what is an electron exactly? and was so effective for me is it became a kind of philosophy journalism. so whether i am writing about pro football or a battle in somalia or the iran hostage crisis or in this case a piece of middleware i began at ground

zero and if you were to actually listen to some of the initial interviews i did in preparation for this book, you would laugh because i have to stop the people in talking to literally every sentence to ask what they are talking about. with questions like what is a router? what is a server. what is an isp? was completely foreign. what a great to me about the story though is that over the months that on a record in "worm" there was a fascinating intellectual struggle going on between the high level computer security experts and some extraordinarily sophisticated authors of malware. the conficker popped up in 2008 and rapidly began assembling one of the largest bonet in the world and what was especially fascinating about this is that the ad hoc group who started

working together to try to corral conficker made moves to try to sense this in a. the creators would make countermoves and this went on countermove over a period of four or five months so i'm going to read you the invitation a little passage from "worm" by exploiting that after several of these moves rodney who was a wonderfully burleigh south african emigrated to years ago and has become the head of security for news star which is a big telecommunications and internet based company in washington. as they called themselves the working group and does the conficker bonet began to grow and people battling it realized

it posed a unique threat to the internet itself, rodney went to washington to try to enlist the support of the federal government in fighting the thing and so rodney got invited to give a presentation at the department of commerce because new start manages the .us level domain said he was a contractor and he was invited him and he gave them his power point presentation which he had put together in his hotel room the night before about the conficker and this alarm in the room who much to his shop had for the most part not even heard conficker and he started getting invited over the next couple of days to get some presentation to the various other places so this passage i'm going to read you is like two or three days after rodney has made his initial presentation at the department of commerce.

the following day he was asked to brief the staff of the senate select committee on intelligence because the committee offices were off limits to those without a high security clearance the staff and arranged to meet with rodney in the visitors' center of the capitol building in the cafeteria. about a dozen staffers met him there in the middle of the afternoon. the cafeteria was quiet and empty. the corner of a portion of the room with portable dividers and sat around a table. before he got started one of the staffers, a young woman interrupted him. just so you know, she said, we probably know a whole lot more about conficker than you do. we received a classified briefing yesterday afternoon, the woman said so there is, we not much more you can tell us about eight. that's really good news, said rod mechem his voice heavy with sarcasm. he knew without a doubt how

clueless the establishment was. the woman's arrogance annoyed him. he started collecting his notes. since he had matters completely under control, he said there's no reason for me to be wasting any more of your time. as he stood there was a chorus of noes. we want to hear it said another. so rodney sat back down. he took the copies of the pulpit presentation which had been printed up on the new stationery he hinted that now part of the table the woman that addressed them flipped or copy and pronounced yep this is the same presentation we saw that the classified white house briefing yesterday. [laughter] the meeting dissolved into laughter when they realized that u.s. had simply taken rodney's briefing and presented at the white house as their own work and classified it to boot. [laughter] brought me later confirmed it

with his white house contact who attended all three of the sessions. they just gave it their own, he said. so much for the wanted cyber defense. [laughter] [applause] that's actually a terrifying note to start on if i think about it. stomach isn't it? >> there's certain ethnology's that appear in your book. early on i think it is certain point you gave the sense that the internet is wild west or some sense of that territory stretching out, and that analogy to my mind sort of brings out the possibility of the definition of the call as vigilantes' and i was wondering, one, if the vigilante term works is it correct and by asking both of you then that all the one

question is since the fed is doing well as the vigilante the last best defense in cyberspace? >> the certainly were in this case and i think actually the guys, teaching was one of them, for a little uncomfortable with the designation when someone looked up and realized the actual definition implies a kind of illicit or illegal activities of the subsequently dubbed themselves the conficker working group but it's like if you are the fat kid on the playground and people start calling you skinny there's no you are going to get rid of that city continued to be among themselves the kobach and >> do you take a notion with the issue of vigilante? >> some of the operations we've done despite the fact we've already gone to court and have legal positions to do what we do

there's a growing community of professionals around the world that were saying they could take this back and can do something here because at some level the internet operated by the good guys. so really it was more of an assertion of the right that we had around to protect our own system, so it think the vigilantes' for one of the lightning rod terms working in the legal corporate affairs at microsoft they are called vigilantes'. >> it was an ad hoc assembly for the most part of volunteers who spent a lot of time and energy trying to mount an effort to protect the internet to this threat there was no formal organization. how hard was it for you to break down the hopes when you started the book? did you get the cooperation easily with difficulty, did it depends on -- >> everyone was terribly eager to help, they were appalled at

my level of ignorance. they are extremely patient and most of the folks i work with went out of their way to help me understand to read the draft in the story as i was writing it and correct my mistakes to help me better understand the story because i think they felt it was an important story. spinnaker want to ask both of you early on for your i guess what have you been saying about the state of security affairs and cyberspace as you go on your book tour and then i want to get your gauge. what was conficker an indication of in terms of having cyberspace be secure, are we entirely out of control? where are we? >> i think that t.j. can answer better than my but my impression was, and i was surprised to learn how vulnerable the internet itself was to threat

the botnet of this size and the internet that grew out of the late 60's, early 70's utopian spirit of the freely sharing data and the time primarily by academic researchers and scientists failed to adequately consider how the openness of the internet which is such a boon to the world could also be a tremendous vulnerability and that there would be people who would take it advantage of it. i think the fact that the federal government in the conficker was clueless about what was happening and what to do about it was shocking to me. my impression is in fact president obama in 2009 when he gave his speech about cybersecurity, he specifically cited conficker as a case that demonstrated how ill-prepared the federal government was to protect even its own network. and i think that since things have been proved that's my impression.

you have seen a number of moves made by the federal government the last two or three years that have been publicized and written about so clearly the government is more aware today than they were just two or three years ago but they're remains an enormous problem because it is a global issue. there is no such thing as a global police force and there is no such thing as the international law governing something like this so it poses tremendous challenges. >> i think the openness of the internet is its greatest strength and weakness. it's tough to kind of manage the use of devotee security on the same level. subject its open makes it vulnerable to these scenarios and was invented in a different time. i think that the conficker incident was kind of an awakening and i won't speak for microsoft perspective a new way of thinking about how can we address these issues but

thinking around how is it all of these technology companies sitting in the seat of technology right now how can we not be more aware of what is going on and how can we play a bigger role as the industry to tackle some of these problems and honestly when rick called up with a couple of my colleagues on the phone and said what is microsoft doing about this we were honest we like well we have released the package for that. [laughter] so we are sitting there looking at it and having meetings with the folks that to all the packaging for our technologies and we said we can do more something. we should be able to do more something here and there was kind of an awakening for microsoft in particular and you have seen our program explode into these different ways of thinking about cybercrime and the way people are using the internet and the microsoft technology. >> before we get too far can you give an epidemiology for people

that may not know the blow by blow of conficker or just the first half you talked about it showing up i guess it was john that talked about it but just sort of describe the beast. >> the worm has popped up on the honeypot as honey net and was on his monitor and what happens is the line will pop up on the monitor and there's all these revolts one of which is a column that indicates how well recognized this by riss is to the major anti-virus industry and this one was recognized by no one. this was the first and the next thing that happened was it was replicated so rapidly that within 24 hours it was shoving every other piece malware out of the honey pot.

the only things on the screen were conficker, conficker. he said i literally had nothing else to work with at that point. but they discovered when they began to dissect it is it was a sophisticated piece that was highly and corrected. one of the things it did this check to see if the computer it was about to in fact had a ukrainian keyboard and would self-destruct if the computer did. but basically what a worm like this does is penetrate to the core of the operating system and replicate itself, send out and in fact every other computer on your network and also begin calling home to a remote controller. the remote controller the way that you would ordinarily kill it is top of its head if you could intercept that communication you can effectively kill the botnet so the net and alveringem the

generated randomly 2050 new domains every day so the master had toehin >> the bot master had to be behind one of the 250 doors, and if you wanted to cut this thing off you would have to shut down all 250 domains every single day forever. and so that was one example of the coming nature, and t.j. mentioned him a moment ago, began buying up domains and putting them on his credit card, which gives you a sense how ad hoc this evident was -- this effort was to stop it. >> before we go down the path of the worms. i want to know what kind of -- a question for t.j. i have a very old e-mail address, and i have a filter in front of it -- >> what? [laughter] >> i think most people here will

know my e-mail address. and since most malware, i take it, is distributed by botnets, and in the form of -- well, the level of spam is some rough correlation out there in the world at the level of malware infections. so i remember about a year ago a large botnet was taken down, and for a while spam fell off. but i have to say that if i look historically at the number of spam messages that are stopped by my program, it's 10-20% worse than it was before that happened, and am i the good indicator of the state of. >> it's a perspective situation. you're talking about the b-17 botnet take down. we laughed at reports coming in. one was zero attack on spam.

one was 5%, one was 10%, and one was 30%. so we thought, what's the real number? and we determined it was perspective. so we called our friends out hot mail. did we do anything good? they said, we see a drop off of spam of .70%. i was hoping for a bigger number. the followup is a lot of the web mail providers had systems in place that prevent sending spam from nonknown ntas. a they had been blocking a lot of spam already. so we had mall impact with hot mail. other organizations, particularly private companies, saw a huge dropoff because the big spammers wouldn't be sending e-mail to hot mail because they knew we were blocking, and gmail the same, ya yahoo so we talked to our hot mail folks and say they largely managed the spam

issue, but it was going out to a whole bunch of domains. we saw hot mail spam leave because -- when we look at these things, going back to your question, i look at how many millions of my customers are impacted by the malware. if it's running one, it's running something else, based on our testing. so we look at it differently. spam gives us cause to sit in a courtroom and say, they're harming at us, and i'm also looking at how many of my customers are being impacted. so when we looked, the analysis showed it would reach out to a piece of infrastructure. a patch, so we were able to fingerprint that and we knew how many of the machines -- how many machines we were dealing with. so one of the criteria, how many

of my customers are being negatively impacted by this malware. so i think the state is not great on the internet. but i really -- the past couple of years have seen a surge in internot service providers and technology companies taking more interest, knowing that private companies can do more to protect folks. i think the dark days are behind us. [laughter] >> i need some type of wood. i think we're getting that awareness. as we start to really understand that there's more things we can do. we're kind of coming out of that. so at our last conference two weeks ago -- we've been doing conferences for ten years now, the digital conference on the heels of the botnet task force. we're starting to see more people to talk about how can my company help? how can my company take down -- i would love to see spam go away as a distribution mechanism, but

i think from a perspective -- there's a certain perspective that shows that it might be the case, might not be any change, but we're still in the infancy so we don't know. >> so, this book is a who done it. except i still feel we don't know "whodunit," and i just want to check in with you guys and see where we are. your book ended at a certain point. there's been a couple of things that happened. so take me through where the law enforcement aspect of the worm and is you guys feel that you have conclusive sense of who the authors were or are? >> my suspicion is -- i can't say with any certainty -- that the authorities do know who was behind it. and i expect -- i suspect the difficulty in an presenting them has more to do with diplomacy, dealing with a foreign government, with foreign laws and police agencies, than it does with actually finding them. but we do know about the authors

of the worm, without having caught them yet, is that they are tremendously sophisticated programmers, and the reason i use the plural, is it's clearly not one person, so much proficiency in so many different hards, hard to imagine one person would have that level of ability and knowledge in so maybe different areas. so the likely culprit is a group, well-funded, probably funded by organized crime, who set out to create a very large, very stable botnet which could be used as a platform for all manner of mischief,man making platform. >> if you look at the early indications of how -- strong

tikes to fake antivirus, the keyboard check is really interesting because nobody wants to be arrested by local authorities for compromising machines in their country, and looking towards eastern europe to fine out what that looks like. it's one of those really interesting -- i agree, we referred the case to the fbi early on. they've been working the case for quite some time. i know they're working hard on it. i don't have any -- i don't have a picture of the guy. >> maybe i'm just enjoying the mystery too much. can you rule out the possibility of the head fake? if you want to point to the ukraine, what better way than putting in a keyboard -- >> that's definitely a possibility. i think that it's entirely plausible that someone would create something like the conficker botnet as a moneymaking tool because it can be used for virtually anything,

this group in europe used it for a scam to drain $72 million from american bank accounts. they did that by leasing a portion of that's botnet. that's a one-time it was used? or was it used several times for -- >> t.j., you know the answer. >> in the early days it was driving traffic to traffic converter.biz. and it was used to distribute malware. >> so they went through these stages where -- what, five versions? >> i think some quarrel over whether some strains represent an entirely new one or not, but i did real e read all those e-mails. >> three strains, a, b., and c, c. being the most sophisticated. i mentioned earlier the worm was general -- generating 250 domains ranly every day, and

when rick weston and the cabal got their arms around corralling all 250, there were 50,000 domains every day. so it's almost like you're willing to spend this amount of time and money and effort to stop us. are you willing to make an exponential reach. >> and then the went to peer-to-peer communication. >> that's right. and the cabal managed to recruit the cooperation of every top level country domain in the world, all 110 of them, and got their arms around 50,000 a day, only to have the worm introduce peer-to-peer communication so they didn't even need it. >> do you think the authors were doing this on the fly? they were seeing what the cabal was doing and responding? >> without a doubt. they would put little clues in they were monitoring the traffic on the list serves that the

cabal maintained. they were tapping into sris, just to check on -- how some were -- >> without giving away their i'd? >> they didn't. one of the interesting things they did was the communication from the worm to the bot master was increpted, which is shaw 2, the highest level of public encryption method in the world ask there's actually a competition on to develop shaw 3, which when it's complete will introduce the new highest level of public encryption. well, conficker a had shaw 2 as it method of encryption. conficker b used a proposal for a shaw 3, which came from ron at m.i.t., who has been the author of the previous who shaws, and then revest had a minor flaw in

his proposal so he withdrew and it corrected it, and conficker c had the corrected proposal from ron. so my personal theory is that it might be ron. >> when they went to the peer-to-peer, the cabal couldn't see the traffic -- >> you could still see the peer-to-tier networks so one of the big issues we have i with don't want to make smarter criminals so we're making sure year doing what we're supposed to be doing and putting the enemy at a disadvantage. the fact they went to the peer-to-peer mechanism didn't make them invisible. we could track to a limited degree. if we had enough sensors in the pierce-to-peer network would --

we could map it. they were actually able to sneak a domain in we missed. we were still trying to figure out, how do we stop 50,500 dough manies per day? so they snuck a domain in. the update happened. the only updated a part of the bot, that peer-to-peer mechanism. that's traditionally noisy, not as reliable as the straight command and control. and it is more more resilient to attack but as you saw, there are vulnerabilities in most of the peer-to-peer pieces out there. so we're able to, and often times analyze the malware and the traffic flow enough to impact that. >> somebody -- how many infected machines are there in the world still? i hear ten million? that's too big a number? >> that was like initial numbers and they were using the q value, the unique stream. what we think is the latest numbers from shadow service,

4-1/2 million conficker ab, and around 250,000 conficker c nodes out there. >> it hunt done -- hasn't done anything of note for how long? >> a long time. >> let me go back to your question earlier about the head faint and the ukraine. the most logical explanation for a botnet like this is a platform for criminal activity, but if it is sophisticated faint, something like a botnet of this size, it's capable of overwhelming the root servers of the internet itself. now, if a nation state was behind it, you wouldn't necessarily use that weapon right away. you would wait until you wanted to use it. so, i mean, there have been folks who read the book and are disappointed the real world doesn't offary clean dramatic

ending to a story. so, it is true that the authors of the conficker botnet have not tried to destroy it, but the idea that one in kiev can destroy the internet is -- >> your bet is they haven't gotten the conficker author? >> correct. >> there's a spectrum of motive. one is just malware. what i discovered in your book i thought was fascinating -- you had an explanation and i thought there might be another one -- one of the generations of the worm, the nodes reported how connected they were. >> right. >> the authors were thinking

about the structure of the social graph, and guys at m.i.t. were wondering if this wasn't a surveillance tool rather than a theft tool. did either of you run into the possibility, some instrumented the net so there's -- >> there's robust discussion what the actual cause or use of the botnet was, everything from a state malware that got out of a secret lab. the reappraisalling their right now is being use to month yetize scare ware. it's too chatty. if you look at the modern threat malware, they're not generating 250 domains per day. this is not designed to be state

malware. >> how long have you been in this business? when did you start doing forensics? >> i went to florida state after the in the better part of the 90s. mr. bowden, used to be the couch of our state seminoles, and i became interested in information security, but going through college you due many things and looking at network administration, and i had a knack for it so i started looking at that. and mid-90s, academic institutions, the wild, wild west was a good description of what those networks were like. typically fragmented administration. we were a public university. couldn't block anything at the edge. i hear that is still the case.

so, we would see some amazing traffic patterns. and it was really kind of an open honey pot, the entire network so understanding how machines were getting compromised, piqued my interest. >> do you have trouble keeping your spirit up? this is kind of like rolling a big ball uphill. >> i love it. i love it. every day. that's my wife, are you going to come to bed? i'm like, hold on. and i say five minutes and it turns into five hours and the sun is coming up. we were discussing this earlier on in the green room. i don't think i could wake up every day and do the same thing and that's what this allows us to do. >> i fine that not just of t.j. but all the people involved the cabal -- t.j. has a job but some were thankfully doing it out of the goodness of their heart. why were they doing it? i think the -- maybe the right answer is, it's fun. it's fascinating. it's like these people think

they're smarter than we are. i don't think so. >> sometimes they are. sometimes they're not. >> no, never. >> good guys always win. seen all the cowboy movies. >> how many members hover the cabal of here, his paul here? anybody else? just two of you. >> are we a dying breed? >> so, what's your take on this white-hat culture? what did you come away from meeting this group of people engaged in this struggle? >> i think you can make an argument that conficker is not -- it's tremendously interesting and sophisticated. might not be the most dangerous worm ever, but for my purposes, it's a wonderful case study, and it gave me an opportunity to sort of walk around in a subculture -- in this case the culture of computer security

geeks, uber-geeks, i call them. excuse me. >> that's okay. >> and i think for me, that's the tune of reporting and writing, is learning about aspects of the world and modern life that it otherwise would never encounter, and so for me i think that this is a unique subculture because the internet is a relatively new phenomenon. it's grown so rapidly that you find that the folks who are at the sort of van guard in the field, there are very few of them. it isn't like you can go to -- well, nowdays you probably do but when phil went to stanford back in i guess then 1980s -- probably making him older than he is -- maybe 18990s -- he had to actually shop around for a college professor who could teach him something because he had grown up playing with

computer networking systems and it was such a new thing that he had develop a very high level of porsche si on his -- proficiency on his end and it was difficult to find someone who could tell him or teach him anything, and i think that level of skill has continued and it's developed in different individuals for different reasons. but that's how i see them. >> interesting to kind of look at that, too. if you talk to andre bass -- back in jersey, those guys were basically self-taught. >> andre went to a community college and was running a security -- i.t. security guy for a small company in new jersey, and the discovered that somebody over the weekend had broken into his network and used it to stash a lot of pirates music and movies, and he was able to clean it out, and secure his network, and his bosses said, end of problem. andre thought, wow, and win back and checked the system and found that people were rattling his

door knob all the time to do this, and the idea that someone in eastern europe was trying to deposit a lot of elicit material in his little office park in new jersey, you know, inintrigued him so much he set himself on a course where he has become one of the leading authorities on botnets in the world. >> did you spend a lot of time with the shadow server group or just -- talk about what is shadow servers? >> primarily i spent time with andre and also talked to richard, one of the originators of it. essentially they -- again, the essence of a volunteer organization. they began monitoring botnets, dissecting the malware that creates botnets, and killing them. they consider. thes to be botnet killers, and they would inform networks -- out of the blue they would call a network, security guy, and say, oh, we're calling from new

jersey to let you know that your network has been hijacked by someone. and they would routinely be dismissed as one pranking on them or someone showing off, but in time people realized they were right. and they were offering this information for free. so, andre's philosophy is, -- it's kind of like if you see someone's house is on fire, do you charge them to inform them their house is on fire? he thinks not. so he knocks on the door and says, hey, your house is on fire. and he does this out of the goodness of his heart. >> an tray and i -- andre and i and richard and i talk about the, what's the right thing to do, and shadow server -- at the end of the day we do takedowns this goal is to reach out to the end customer and try to clean them up and let the nome, there's some things you need to do in order to be a good internet citizen.

>> a couple of times you talk about takedowns. is your group engaged in sort of wide-scale disinfection? you mention things that you have written code that takes infection off of machines? >> i'll be clear. >> on what scale have you done that. >> the malicious software removal tool, runs on 700 million computers each month. so that's one of the tools we use as part of the automatic update process. so then we also develop tools called the ebb hansed msrt. we have a disk called system sweeper that boots to a windows pe image that has a full signature set. we engage with isps and search around the world to get them information from our sink hole so they can carry the message into their countries. so the first time we had that

remediation piece in place, and it's slow-going. it was rough and ugly. who wanted the data, who didn't, were they able to actually use the data? so we learned a lot of lessons on that and took us a year to get 90% clean. when we did the operation b107, we actually had a 50% reduction in the first like 45 days or something like that. so, we're getting better. is that a long-term solution? no. we need to figure out, what is the longer term solution we can have more impact, but we kind of come up against the -- we're the good guys, can't push code to that machine like the bad guys. what other mechanisms are available? so we have robust -- >> one of the things mark did that was so good, at least compelling to me, is that in describing your patch, and when the patch went out, you being prepared, realizing there was an instruction manual you had given to the black hats and you alerted them to a vulnerability.

to me, how do you get around that as a -- just a structural problem you're facing? >> the guys, microsoft securities resource center, they weigh on that heavily. so understanding if there's a vulnerability in the os or any of our components, we weigh that. there's a lot of people dedicate. we know as soon as we issue the patch a whole bunch of people are going to say, what did they exchange here's the dlls and put in the hex editors and changebits and start to look at what vulnerability was patched. so, you know, that's something that does go into the equation. so at the internot botnet task force meeting in virginia in 2008 when we announced the patch mso8067 -- i still remember the number -- we said, let's look at this and we had the advantage of having security researchers from 45 countries in the room.

we spend an hour and a half with everybody -- we had folks from msrc in the room with us. sames of malware and some of the exploit code, and we started to kind of shift it around. we knew it was definitely a vulnerability and we need to get the patch out. so people in the room patching their minnesota over the wi-fi over the core nation -- core onation center. if you're going to fix something, people are going to wonder, what did they update? >> six weeks later something appeared? >> a really short amount of time. i have people that model their cars and they take a snapshot of their os in their car, take it to the dealership, get the update, bring it back, and they tweak, so it's curiosity. these guys are using that curiosity for nefarious activity. >> mark, you paint a really good

picture -- a compelling picture or the white-hat culture. did you had ever spend any time of the other side of the fence? >> i did look at the web sites where some of these purveyors are openly celebrating their success. i watched online a company party that one of these groups was having where they're were raffling off cars to people and there was a rock band and everything else. this was in russia. it was very funny. >> it was funny. >> but it shows the level of involvement and openness with which people are engaged in this in certain parts of the world. the scope of this book, i deliberately chose to narrow it to the struggle against conficker, and since i didn't know -- i was hopeful to be hospital, they would catch these guys before i finished writing the book. if they had, i would have tried to go to wherever they're

from -- the ukraine, i would add that piece to the story but unfortunately that depend happen in time. >> $250,000 out right now. anyone leading to the successful arrest and conviction, anyone knows anything, mark would want to know about that, too. >> absolutely. >> do rewards work for you? have you gotten tips? >> we issued i think four awards at this point. the first one not so much. the second one, yes. we have gotten good tips on the conficker case. and then most recently we issued a reward for the rustok case so we can't talk to many details. but it has been referred to the fbi, and $250,000 is -- i'd love to have $250,000. >> i feel like they're making millions. there's an additional $250,000. >> do you have a favorite success? >> i don't use success -- i have favorite things that have

happened, not necessarily all successful. i thick -- think i learned more from failing than successes, when we started contemplating the strategy, looking at frisbee with guys from fire eye, i realized what the challenge is. i'm going, i have budget. why can't i would byall these dough maine and my manager is saying you're going to charge $30,000 worth of domains? that's not going to work. buying domains is not the long-term solution but it would have work so frisbee is one of the things that motivated me and a lot of guys i worked with on it to say, we're not going to let that happen again. >> a couple more questions for mark. and then -- can you contrast reporting this world, reporting in the black black hawk done

world? >> not that different. i made a cloak -- it's true, i had to literally stop folks every sentence to and ask what they were talking about, and that was true when i started working on black hawk down, soldiers referred to in a jarringon referring to weapons systems and in the beginning i was stopping people all the time saying -- i remember once -- you're o. mistaken for an effort in which you have just written about. and a colonel asked me if i thought a bradley armored vehicle should have been part of the protection pack yack in mogadishu, and i thought if you can have an opinion on a bradley ored weapon you need to

know what it is. the sports riders would say, how can you cover science and covering politics or covering transportation to write about sports? and i tell them, it's a transportable skill. the whole idea is that you go into a world you don't understand you find the people who can educate you, you ask questions until you arrive at your own level of understanding and you write the story. that's what i do and why i like doing it. >> one last question. i think when you deeply engaged in conficker when fox net came on the scene? and as a writer, you're telling one story and there's this other story -- the great thing about conficker, it was one story with a cast. did you feel like conflicted because there's another big -- >> not much to be honest. i have a kind of disinclination to be writing the same story everybody else is writing and i

had no doubt it would attract a lot of attention, and there would be a botnet book or two, maybe you're writing one. i have no desire to compete with those folks. i would rather find a story that no one else is telling, and to me -- i wrote a book about the philadelphia eagles 18992 season. and i remember sports write efforts saying why? they didn't win the super bowl. it didn't make any difference they didn't win the super bowl. it was an opportunity to write about that world and those people. so, to me, that's what the story is, and the fact that there might be a sexier story that comes down the line is almost guaranteed but doesn't influence me. >> let me get the audience involved by way of cards. there's some interesting questions. this is two-part. one is a question and one is a comment for mark. what is the conficker for unex

environment. >> what's unex? >> let me ask this question. there's this operating system called mac os, like a unex environment. why do you think you have such a larger problem than the macintosh world appears to, aside from the fact they have 10% or 7% market share? anything else that's different? >> i think we can hang that on a number of things. market share being one that's been beaten to death. right? also the fact that there's not that much money in it. so if you think about the problem, it's a cybercrime problem. they don't do this for giggles, like we did back in college. i can make people's computers do funny thing. so they're about money. they can cast a really big net on windows. the apple guys are starting to see a little more of it. it's going to be their turn to

have their windows xp service pack 2 moment. but it's one of those things, its hasn't hit yet. >> i remember this wonderful paper some years ago making your argument, it's a question of scale. then you can estimate what the percentages of market share they would have to reach to be at that point, and i think it was 19.7% market share. >> but it's also -- criminals are smart. they're lazy. that's why they're criminals but they're smart, too. if they realize that an apple computer costs this much more than a normal pc, does that have something to say about the socioeconomic status of the people doing it? they might write backing trojans for mac os and different type for windows machines. we're going to see more of that happening. but at the end of the die -- day it's cybercrime. if i need a car and i'm a car

thief, i don't care what kind of car you drive. i'm going to steal a car. so bringing it back -- there's obviously security ramifications. windows 7 being more secure than vista, more secure than xp. microsoft learning as we go and there's the other element of cybercrime. criminals go where are where the money is. >> just a comment to mark. some of us who have been involved in other networks since then 19 -- 1980's have been squared guy con fixer and how to attack them without killing the network. another question. do you think the worm creation might have been funded by a terrorist group like al qaeda? >> no. and i think because we have never seen that level of sophistication from a terrorist organization, and also the way that it's been used, there's nothing to stop the authors of the conficker botnet from

launching a massive cyberattack. on april 1, 2009, than they don't want to take down the internet. they want to use the internet to make money. so if it was terrorist organization we would probably know by now. >> if it was terrorist organization, probably be a little quieter. it comes back to how noisy the threat is. >> this is to t.j. what is microsoft doing to prevent worm/virus in the first place? os improvements? like unex? >> weren't the first root history -- we have a number of programs them security development life cycle. windows 7, having things like address-based layout. things like that. we obviously have these trustworthy computing

contingent, an army of individuals that triage vulnerabilities and have timely patches. automatic updates, a division of our company called the microsoft mall protection center so we offer free antivirus, and we have seen a shift from attacks against windows windows to a shn attacks against third-party add ins in social engineering so we're making huge strides on the security front as farce as os vulnerabilities and now we're working on ways to security applications. one of the tools i play on our systems is amet. an enhanced mitigation experience tool kit. and it's a free download and allows you do put controls around specific applications win the windows environment. so you can have application layer aslr, mix layer debt, on the machines. so that's -- we're learning by being forged in fire.

right? so for the past ten years we have been under the scrutiny of the security community. we have stepped up to that challenge. at the end of the day, if granny wants to install the dancing pig screen saver and it's been trojannized, we try to make so it folks have an informed decision what they're installing on windows and if something does get out of control we take our legal department and bring that to bear and protect our customers in a knew and unique way for all industries. >> if you go back to the morris worm, it was buffer overflow vulnerability, used as the infection mechanism. what is it about buffer overflows that's hard to find? >> there's lots of buffers. you have automate stuff. we put a lot of our code through the sdl. so that's an attempt to try to attack that.

then there's debt and aslr. so making is more difficult for the attacker to guess your address. but they're sharp. so we'll close buffer overflows and all that stuff and they come up with something else. it's a classic arms race. everytime in history you have someone comes up with a way of defending the castle, the attackers find a way to breach the defenses and this is happening in an intellectual realm. >> a question here. you guys have statistics on the number of infections. does this include pirated software? if not what do you estimate the worldwide conficker infections to be. >> the infection numbers are based on sinkhole data so we don't distinguish between pirated copy or legitimate copy. so it's a true number and flawed in all ways. so we just took the kind of the academic argument out and said, how many unique ip address did

we see per day? the acp address renewals, all kinds of stuff that will muddy those numbers. but if you kind of take into effect people behind corporate mask ndacp, there's a 20% reduction in the number. so i think 4.5 million is the most accurate number we can come to, knowing all the flaws. so that's the best number we have. to speak to one of the other subquestions that was going to be asked, microsoft does issue patches to prior versions of windows. if it's a critical patch, we issue that. you have to be at the right patch level to seive that -- to receive that. but if it's a critical nature and you're a pirated version of windows, you can still install that automatically. >> how hard to be for a nation state to create a consistent botnet bigger and more stable than conficker?

>> not hard at all i wouldn't think. >> a nation state? >> it -- depends on the nation state? >> it does. if you're aware of a vulnerability and you can exploit it, you know, something like that can spread very, very rapidly. >> i think it's even simpler than that. some of the new technology we're seeing now, like the ad exchange, browsing espn.com and getting third-party bluingin on your windows box, we're looking at ways to do mass compromise and get people -- >> the trend appears to be away from that? for a long time it was creating massive botnets and now the trend seemeds to be more these advanced persistent threats you

have carefully exploits for a specific reason. >> you see the purpose. so if i want to make a lot of money quick i'm going compromise a lot of machines knowing i have a six-day window for the antivirus to update and go. and if want to be on for a long time i go to a more advanced approach. your seeing advances malware going into acp space and innovative techniques to get on to the bot for the criminal side. you're absolutely right. >> a couple of years ago the fbi stated that something like 100 countries had offensive cyberwarfare programs. you're out there in the real world. is that a plausible number? >> yes. >> i don't know where they came up with the number. i think there's probably most -- >> the modern world so much of -- we increasingly lean on the internet for so much that anyone who is thinking about going to war, has a military,

would incorp operate cyberwarfare into their package. we saw it when russia invaded georgia, and estonia. certainly any country with a major military or defense department is developing capabilities, not only to defend themselves but to attack their enemies. >> so are we going to run into or have we already entered a stage like the period of nuclear testing where countries that were developing nuclear weapons were testing them in the atmosphere? are we at a cyberequivalent stage? that botnet was not a test. but do you think we have seen tests of -- >> you certainly see it in espionage. there are mounts numbers of instances where a lot of it is traced back to china, whether correctly or not, where

supposedly secure american net works are being scanned for data and data being uploaded and keystroke logging and this kind of stuff has just become fairly common place. >> with the evergrowing residency of mobile platforms are there any botnets targeting mobile devices specifically? >> we definitely see an increase in the malware impacting the mobile platform, as our devices get smarter and more -- always on, always connected to the internet, that's a logical place. i think most of what we have seen on the windows phone side have been exploit inside the hand set or through the marketplace. i can't speak of other companies in the valley that might be experiencing different things but you're going to see it on, see it on the tablets.

people have tablets and a mobile device. it's just clear, the bad guys are going where the money is. >> in terms of you new plat -- mobile platform, are the enter fates exxon? >> -- you have a windows phone. how much does it look like a windows pc? >> it doesn't look like it. it's part of the code. it's partly based on the windows mobile operations system but almost a complete rewrite. so as we go from windows phone 7 to windows phone 8, it's going to be a little bit different. >> in terms terms of -- as micrt said in your -- in the application to run on your mobile platform, will you be closer to an android or closer

to apple? i will say windows 8 will have an app store so we see a lot of the benefits of having that in the cloud. if you think about how microsoft is positioning our technologies, it's that three screens vision where my experience in windowsle should -- windows 8 should be the same on any device. i should get those applications i want on demand. so we're looking at it, how do we vet those applications in the marketplace before the make it down to the device? >> this will take a little bit of explanation. is the tore project with untrees able routing a sensible idea or tin-hat lunacy? >> how much can you trust your

anonymity? >> it comes back to the seem question. software is rent by humans and humans are not infallible. maybe it's been written by someone in this room and we don't know about it. if you have, i have a business card and would like to offer you a job. it's one of those things, if you poke and prod enough at any piece of software you're going to find new and interesting ways and i think it's interesting, most of the vulnerabilities we're looking at buffer overrupes, memory modifications. what's next? i'm thinking about, we're trying to figure this out. what is my kid going to use to compromise my refrigerator? and let the beer out or something like that? we live in the year of the flying cars. so, yeah, i think you have -- if you're going to use internet resources and use tools, you have to understand that what software you're using. most people don't get that i get that from the sister-in-law.

everybody in the room feels the certain part of that. it's our fault. if they get owned, it's our fault so figure out how to manage that is kind of the difficult -- sometimes heated debate in my house. >> are efforts still being made to block communications between the botnet and its creators and and how long will it be possible to sustain this effort? >> right now we're in year two and a half or three. we just had the latest 2012 list come out. so we're working on -- with the high level tlds to block those. on the countryside, a little more difficult. some folks have fallen off wanting to block it for much longer. i know that the big tlds

are -- a couple are still participating and they represent the bulk of the inflections can the a and b infections, a smaller group. so they've been amazingly open to continuing the effort as long as we produce the list. they're able to go in there and have the process automated. >> the individual nodes themselves present a signature, don't they? could you use that -- what are the intricacies of taking it off a machine that is running an old version of windows and may not have any protection at install is that workable strategy? >> absolutely. >> you have done some of this? >> yes. >> shadow servers creates reports around the world. microsoft is developing a number of tools, as has a number of antivirus companies to make it easy to get off your machine. if everybody in the world would just check the box, block automatic updates, they would be clean, but kind of working through some of the mechanisms there people inpeckedded are

people that don't have the minimum protects, not running updated antivirus. the bad guys stop developing code. the vulnerabilities have been peached for three years so these are folks in limbo, not doing what they need to be doing. >> i think we're getting the cane. >> we're through -- one or two more questions. >> we're done. >> all right. that's great. please join me in thanking the panel tonight. [applause] >> one of the trickess things about writing this book for me was thinking through the way that particularly in the international human rights context, rights were both straddle a moral imparity and as separational ideal and more practical and formal mandate.

>> we got started because there's a lot of conservative think tanks but before that there was no progressive thinking on economic policy, national security. >> we think that there's up a

new reality behind arguments in washington with very little facts, and part of our job is to make the argument and the factual argument and the evidence-based arguments behind our own views, and i do think that sometimes -- when the facts don't argue for our position, we reexamine those positions because we believe the most important thing is to be right about what your views are. >> law professor and author, lori andrews, recently spoke about her book, "i know who you are and i saw what you did. social networks and the death of privacy." she examines the way that personal information of social media useres is checked and sold and argues a social network constitution it needed to

protect online privacy rights. the remarks came during an hour and five minute panel discussion. >> tack al timely and thorny topic of individual freedoms in the age of social media. the founding fathers protected important rights from individual freedoms, right to privacy, the right to a fair trial, but now online social metworks are creating an entirely new set of questions and challenges. colleges and employers reject an applicants because of publicly available information and photos found on social networking sites, jurors post details on a case and ask their friends to vote whether a defendant should go to jail. marketing companies are facing lawsuits for allegedly collecting information about citizens based on our travels on the web without or knowledge or consent. how would the founding fathers happen these scenarios? would would happen if social networking sites were affect bid

the constitution. professor andrews is from illinois institute of technology, her work assesses the impact of emerge social technologies. she has a book "i know who you are and i saw what you did. social networks and the death of privacy" and we are honored she has chosen the national center as the venue to launch her book tour. she explores the intersection of law, technology, social immediate a and personal information on the blog, the not so private parts. before joining forbes, she was legal editor and worked for the week ask the washington examiner. jennifer preston is a staff writer at the new york times where she follows poll sicks, governments.

she took on the new beat in january 2011 after work as theonomy news room's first social media editor. she also served as an adjunct professor at columbia university's graduate school of journalism. moderating the discussion is christopher wink. a media consultant for the online system. the leads transparent stirks open government, reporting projects in addition to coverage of city i.t. policy. he wright appeared in the philadelphia business journal, the philadelphia inquirer, the pittsburgh gazette and the more thanking call. now i ask you to silence your cell phones in consideration of your fellow guests but i encourage you to use them if you want to tweet questions to the panel. please use the hash tag pound ncc privacy. now, without further adieu, join

me in welcoming lori andrews, steph fran frank, kashmir hill, and christopher wink. >> thank you everybody. paul -- it turns out lapel mics are staff to put on people without lapels but we're here. as stephan put is, 225 years ago the constitution was written near philadelphia and in subsequent years the foundation of our democracy, the communication patterns and issues of privacy were developed, and 225 years later new communication forms are developing new standards. so as see fan said we have a great panel and i want to jump into it with lori by telling us why the social web is a constitutional issue. >> the founding fathers would have loved facebook, twitter and google. they were techies.

there was a clause in the constitution, the patent clause to encourage innovation but they were concerned about privacy, the fourth amendments, preventing cops from going in and finding a letter in a drawer in our house. and everything private about us is in the cloud, it's not the drawer in our house, and we have figure out ways to protect thing wes care about, right to free speech, fair trial, and soing for, in the digital world. >> what are we talking about give us the names of the organizations, of the service that we're talking about, and let's bring in other panelists. so, who we are we talking about? >> not only facebook, but private data on 800 million people, the third largest nation in the world after india, has its own currency and economy and has dealings with other nations, china, so forth. and yet there's no real decision

about what is done with information posted on the web site of facebook. these are people's private information. if i government tried to get that it would take lawyers and guns and yet we're freely giving that information out. so we are also talking about companies you never heard only, axiom, a data aggregator that has information on 96% of americans. we're talking about a company that made a deal with internet service providers in california to put their hardware at the internet service provider and company and analyze every e-mail, every web search, everything that anybody sent, every google search, over the web. now, there's litigation, just settlement us but we have to think about the many ways in which our private information has become public potentially used against us. ...

monetized, potentially used against us. >> i want to turn to kashmir. we been talking about the nationstates. it seems like the beginning of this conversation about how we are comfortable with what the web entails is a reasonable expect patient privacy. i think there are those who suggest it's ludicrous to think that. this is not a sovereign nation here these are choices talking about kind of the feeling of reasonable expectation of privacy. if any of us deserve to have it on the web and kind of where that comes from. >> i mean, there are many different ways in which we are on the web and i think we have different degrees of privacy depending on which area we are talking about. so it's fair to say we have a reasonable expect patient privacy and our e-mail, which is something private. but when we talk about increasingly public forums like twitter or facebook, i think

that there's less of an expectation of privacy when you're broadcasting in a place that you know people can look at. so i think we really have to differentiate in terms of which were talking about. and i think because of the way the case that has changed in 50 years from being more of a private place to be more of a public place, people are still adjusting to that in this whole idea of putting information about ourselves online and out there. a lot of people get uncomfortable when it's used against them because they are not thinking of how it really are. >> update to comment they are considered private and they should be reasonable expectation of privacy notice, but that is not what the courts are frightening. e-mail should be chewed up like a postcard as if you're writing to anyone. and if you look at court cases, for example, one woman who is

really injured in the personal injury case, the judge actually use in a personal injury case, the judge actually use in a personal injury case, the judge actually use if she's got a smiling picture on facebook, and i've been asking if it was if she's got a smiling picture on facebook, not even asking if it was before the accident. and so, people might think -- might know enough not to lock onto nonblocking photos of himself on facebook, lots of things used against you in think about appeared holding a glass of wine at a wedding or 35% of employees say they turn out job applicants because they called a glass of wine in her hand. then you have things like people who are coming in now, young poor kid who are charged with gang members because they're wearing gang colors. i look at the los angeles police department. apply thinking he's hipster parent all black, new york art

opening. so i don't think we understand that seemingly innocuous device could be problematic, the woman who loses her child because she's got a picture on facebook. it is not knowingly giving up your privacy. yes, twitter, youtube, larger population, but sometimes it sneaks up on you and how this is viewed. >> quickly want to put this in context. so often in the united states we're looking at facebook and twitter. we will see it as trivial, but jennifer, talk about why social media at why we are looking at how much social media can be seen directly at deer springs. you are involved in reporting. let's talk about why the social space and questions are a lot bigger than just what we see in the state. >> the privacy issues we are

discussing tonight are very important. but what is also important as these platforms turned out to be a tremendously powerful tools in countries where there restrictions of freedom of expression, another son late and these are rights and freedoms that many take for granted here in the united states. in egypt, many people first thought that if we kept on talking about facebook helped spark the january 25 protest and revolution. it did not begin with an event or an invitation posted on her face but page. the community where there was tremendous discussion around police brutality and abuse issues actually began in june of

2010 and that was the face that page that was started by a group of anonymous human rights act to this. one of them was why outgoing aides, who is also working as a critical marketing executive. it would have been if there is a god and who was killed by police. police lied to his mother, first big mistake at the next thing that happened was someone in the more it took a photograph with a cell phone that this young man's battered face and they put that on youtube and facebook. in june of 2010. over the next few, hundreds of thousands of people joined at facebook page and on the face with age, and they discussed things that they could not disguise. in an internet café or really

anywhere else. so i think tonight talk about the theory imports since concerns about privacy, that we also remember and think about what our founding fathers might have thought about how powerful these tools can be for promoting democracy and for promoting freedom of expression. >> i think that's why advocate the rights to connect because what egypt do? they shutdown the internet after people who use that as a way to recognize. you might think we may not have been riskier, but senator lieberman has suggested a kill switch, various senators have suggested all have digital tags so they can hide dissenting voices. so i do think it's really important and you may be surprised to learn we are far behind other countries. estonia has the right to connect and you're guaranteed to have

internet service provider nearby to get free access to it and other countries you can't be so readily bumped up the internet if you have a copyright violation and you're downloading music and so forth. estonia in the rankings of price actually rank much higher in part because that is openness of the internet there. so it is an important democratizing tool. >> is the perfect opportunity. the social networking in a conversation or privacy and freedom of speech, nothing short of the future democracies around the world. laurie, in your book, it does to your social network constitution been a lot of questions i'd like to hear about why private companies may not dive into that, but this is a great start of the conversation. the incredible communication tools. maybe walk us through in your book way it though there's a competition comes to the

highlights of what that means that we can get some other from kashmir and jennifer about what could be a part of that conversation. >> well, u.s. and important question. what we think about our constitutional rights and here we sit on the 225th anniversary of the united states constitution. other countries rights as well in many countries. why should private companies even care about this? i think these constitutional right really are based on fundamental values that we all share. initially the founders of face up in the new generation is it going to care about it. but internet polls say that younger people care about it more than older people. 70% of young people achieves the highest privacy settings. first of all they get regular

like the federal trade commission because the u.s. constitution has influenced private laws. we privacy laws for privacy. we are proficient by the quality of the constitution have been enacted a civil rights laws. so it influences private laws. in addition, there may be a market for privacy. .. anywhere you go on the web is

not protect it, but really think about things that people might hold dear and private. >> cashmere, can you jump in. you do coverage around the intersection of type knowledge in businesses and folks involved here.nv does this seem like a real step. forward? talk about yourbi reaction. >> i think that judge is aneaks outlier and speaks to one of tf problems at this point is that a lot of judges who are interpreting the laws around these technologies don't often completely understand the foundt technologies. extensions are around your e-mail can only get that for a word it is like a complicated technological issue many would say it's private correspondence and in terms of trying to apply

-- go on. sorry. >> to play the constitutional rights to the social networks, constitutional rights are supposed to protect our rights against the government and some of the things you said just businesses shouldn't be able to look at a person when they are making hiring decisions i find that very problematic. increasingly now on the social network we kind of mix our lines altogether see you have the personal and professional mixed up on your facebook account, and business customers will be looking at those places and so i think businesses want to think about how they are represented by their employees because the businesses are not allowed to look at those accounts but the customers are and then can judge those businesses based on how their employees appear. i feel like you are suggesting

violating the rights of the statistics there. >> i would say that one of the issues first on the protection, when the courts have considered cases where the data aggregate's put cookies on your computer and consumers have gone to court and said this violates the federal wire tap act, i need to be protected the courts actually favor business too much and they said as long as one party gets comes and it's okay to reduce its website is dictionary.com says it's okay for marketing companies to gather and monetize my information i think that one party consent is crazy and should be asking me. so i would change that. i think we really are just well protected as you think and with respect to e-mail, okay, girls with eating disorders sued blue

cross blue shield to get their compensation under the psychological benefits. a blue cross blue shield said i want every e-mail come everything she's posted on social network pages to prove that it's a social disorder that's got her having bulimia or whatever. so the judge gave that up. in a divorce case you can have the entire hard drive of the spouse so all this stuff is coming in and to businesses, i'm more comfortable with an approach like we see in europe where germany is debating about whether employees can use the social network information. we have finland where you can to google and employees before hiring them. i love social networks. i don't want to see people branding themselves where it's the rich families to hire children. and now they've got someone

starting when the kid is too because that's when you get a facebook pager parents start putting things on to make sure you are only saying the smartest clever things, i want it open but i want it protected. >> why would you want it open? i am the mother of two teenagers. trust me, i don't want their information open, and facebook does now offer -- they have learned because there was a huge backlash from users, and they have made privacy settings more transparent and as a reporter that looks at facebook pages i will tell you there are a lot more people that have their fees the page's pride that i've noticed, so the tools are there for people to control and manage their information and what we need here is a public education

campaign for parents, for educators, for people about how to use these tools responsibly. >> we are still adopting at the society and we are still learning what it means to be exposed the way that we are because the way that we attract our lives and share information online and i do agree that part of the problem here is getting everyone educated. >> about an employer should get it so should the to the private side right now in maryland and massachusetts employers are saying listen, if you want a job you have to tell us your password so we can go in that private side. some of the bottom line is there are laws governing employment in the united states there are certain things an employer can ask and certain things an employer cannot ask. an employee cannot ask your

marital status so an employer cannot use that information against you in hiring decisions. >> how do you prove it. >> do we need additional laws? i don't know. there are walls on the books right now. one story i did last summer which was opened my eyes to a lot of what information employers can gather on people there is a startup company called the social and intelligence and they are running their business like the way a credit reporting agency runs their business. so with the do is provide employers with like a social media credit report on the potential employees and they do however for to employers they will gather every single thing that you have ever said in a chat room, posted on flicker,

put on the instead gramm photos sharing sites. but they are not -- they are very careful about this report what information they provide to employers. they only provide information that is allowed under the law to be considered in hiring decisions. >> so if you go in and putting your name you will see your telephone number and then make an estimate how good your credit is. if people pay a little more a month, they can get things you posted on the social networks and elsewhere and they make no pretense of following the credit reporting law. you've got everything wrong about me and you can think about it if they say her credit is bad

and good and i might get a loan, the in fact would ban on their ads that say researchers, don't you want to see what is on all of the dating and other sites they say they go on to this side of who to hire and credit cards to offer people, and when an individual says this violates the credit reporting act because usually if you make the credit assessment about someone you have to tell them you were doing it and have the right start applying them. we have great laws that take medical privacy but if it's in the hands of doctors and hospitals so there's a website patients like me and a lot of

people posted and selling depressed, and suicidal, i have alzheimer's, and the share information to people secreted distance or could learn stuff. nielsen, the data edgar tater had them collected three birdies information and all of a sudden they started pulling on their sites. when i say i think we should be open, i think we should be allowed to be open about our ideas in a private setting and shouldn't be have to restrict ourselves because of the fear of what is done with that information. >> i think i heard you kind of tell that and something folks are thinking. there's a balance whether we are in the period of flux like to sit and 20 years from now we will giggle that we are having this conversation. >> or cry. >> maybe talk about that. some figured out because we're in the period of the institutions and individuals are figuring out what is appropriate and kids will figure out what's

natural or is there a real fear, talk about that. >> it's interesting. i don't know how kids who are in the internet now and things their posting a thinking that the fact that will still be there in 20 years and could end up playing into the future hiring or future political plans because its new. but in 40 years we will have somebody nominate to the supreme court who will have been on facebook for most of their life, and there will be a ton of information there. i think we are already starting to see it with some of the under political candidates like crystal running for congress in virginia and there were some of those -- photos that popped up from a party after college where

she was there with her then husband dressed as santa, and her husband was dressed as rudolph the red nosed reindeer but he had something that wasn't a red nose on his face, so it was kind of embarrassing for her and her reaction, this sort of went fire wire will and i often she would win the race that she was running as a democrat in the conservative district and she didn't win, but her reaction to it was to say this is how we are now. we are going to have more background material, and some of it will be very personal and that is the future for her generation, my generation in the coming generations. and the challenge that she posed for society is whether we can adapt to that and start looking

at people as the full version of them whether our expectations of people will change so that we don't expect people to live these puritanical lives that people have -- are human, exactly. and i hope that is the direction that we are going to move. given how much of our lives are captured on-line that is inevitable. islamic if there was a button you could press when you were 21 or 25 and just erase every photograph or in some inappropriate, but there isn't, and so i think what that means for all of us, whether we are

journalists, parents, educators, it's a huge responsibility. a huge responsibility with our kids to raise their awareness because there's a simple fact every single thing you post could be made public if you have very tight privacy come if a friend this share is something you share on your network, it's been public, and so i do think that right now when we are in this period as described there's just a huge responsibility for all of us to use these tools carefully one has been designed to make sure your digital photographs the lead after two years so the pictures of you with your ex-girlfriend and so forth, and i do think you're

right we are in a period of flux, but i heard that before. we are all in this together so we will all have these photos etc, but we have had people who are applying to supreme court and smoke pot like devotee of that generation they didn't get that job, and i heard that with the next once it became publicly was told as everybody has 8,212th genetics. we will be in this together. we won't discriminate, but certain people feel their feelings are worse than yours so there's still discrimination and what happened is we are in a period of flux but with every technology that i followed whether it's genetics testing or forensics technology, initially a lot of stuff was used and then privacy was protected and expanded so i don't think we are going to give up privacy, the courts are just going to come around to it like they did in

cases the supreme court handle where they could go along the street and point the heat detection device and see if there were more lights on than usual to determine whether you were potentially growing marijuana, and even though they didn't enter your house and they were coming at it from the street so initially court said that's okay there is no fourth amendment violation and eventually the supreme court said no, no, that's part of your expectation of privacy so we will eventually get their but a lot of damage might be done >> i want to ask one more question to the panel and myself but then i want you to think of ideas and we will have questions i'm not very good at panama and in. the panel to bring this back to the concept we are here with what the founding fathers have thought about facebook with the discussion we had at your own

take on it so the founding fathers were a wide-ranging group of personalities give or take so give us this sense with the founding of this as a group of loved the freedom of speech opportunities tenafly. give us a walk through there. >> love the freedom of speech. be concerned when the chief of marketing of facebook and former ceo said we have to do away with anonymity because that was certainly part of the founding principle. also how it is playing out in the right to the fair trial where people are googling facts of the case and put another page and asking their friends to vote up or down even though you are only supposed to consider what's

going on inside the courtroom. so those would be the source botts for the founders. >> i think twitter and facebook would have been beneficial during the american revolution. these are great tools for organizing. ben franklin used to keep a daily journal where he tracked his virtues to figure out if he was being a better person and i think we live now where we like the idea of archiving and tracking ourselves. i know you were talking about the tool for deleting data and having expired but i don't know anyone would want their photo album to just disappear in two years. that this kind of usually our worst nightmare when your house burns down and we lose precious photographs. but i think there are so many benefits to this -- to these new technologies and this idea of tracking and gathering data and being able to look at it over a

long period of time and i think that's something that ben franklin for one would have loved to a certain extent. >> i think certainly the founding fathers would have found a tremendous utility in the schools, except if george washington is talking to delaware and one of these guys says on facebook it's pretty cold this christmas as they head for trenton and alerting those other guys that could have been a problem. so, you know, as laurie has been saying and i think what we are all saying is that a balance -- there needs to be in balance and people need to recognize these are companies with terms of service. read the terms of service for one of the social networks that you use come and their

businesses, so awareness, education is vital while the courts and various state legislatures are wrestling with these important issues identified. spikelets go to the ultimate device for the audience question. walk over to the microphone over here. >> as the audience makes their way to the microphone, there's a bunch of questions here on the twitters we just want to ask fast while the audience makes the way. first is the practical question can employers access a facebook account of their status is private, hoping you can explain how that works and second, the question is we are a representative democracy but it's based on the purchase of pachauri democracy seems the founding fathers would be skeptical of the social media, no? >> de want me to take the first

practical questioned? >> they may get it from the data irrigators that have scraped your account and they may get it from the sort of companies that traffic before you took down and made private your account. there is a long time my space didn't have the privacy settings and so the need to get people based on that. but generally, courts, police can get your private side that employers can't if you have current pervvijze settings although some as i mentioned will ask for your password to get to the privacy site. >> i wanted you to just give a quick walk through because that may answer some other questions what is the nefarious side and what does that mean? >> facebook is basically a data em record gaidar it makes $1.68 billion by serving as an

intermediary between advertisers and private information. so if i post i'm thinking of going on a chart to florida it can pop up about airlines and so forth, but some data aggregate terse u.s the web begins to collect all aspects of the web and so forth and they haven't said that the problems of there is a lot of information that follows all over the web and can manly be used for marketing but now can be used for other purposes. it's been a gift to recount his private it's hard for an employer to look at it, something some employers have done is sometimes you can to access their information if they've made it available to their networks as something of a

lot of employers used to do is if they had an interim, that in turn could access certain information for other people so you want to look at your privacy settings and no, make sure you know what audience you're exposing to and if you are only exposing it to your friends then for the most part only they will be able to see what's there. estimate they wouldn't have access to that id file understanding. >> how would the police and the courts get access to door data without a subpoena or court order? >> go to the social networks themselves and the foundation has a project they are looking at which exactly what government agencies are looking at the information about you and the

emmanuels to see how much they give without a subpoena. so it's really very interesting because there are these guidelines like the immigration service to go on and to be able to find out about other people want. >> did you catch that, let me repeat the second question, do you still have that? >> the nation is based on the representative democracy so the question of the social media having been built as a participatory direct democracy the founders would be skeptical, something like that. >> especially of the women jumped into the conversation. >> it's probably true, skepticism for sure. >> what's just to kind of direct questions. this point you talked about what should be and what shouldn't be

private but a concern i have is if things are to private and we have too much anonymity is easy for me to masquerade as somebody else because i can pretend i am you. how we address that? >> california has the impersonation law and it's in part because it pretended to be someone else but in the cyber harassment cases where the parent of the mother of a rival would pretend to be a 15-year-old boy, friend, bader's rival and pretend to be interested and then push that% words suicide. so i think that we are again balancing between freedom of expression, the importance of anonymity and political spectrum and then the whole harassment issue.

>> i will tell you on her the identity is not required and in the political space, and i've covered politics for a long time and i've covered dirty tricks and i used to cover future new jersey so i would get the calls from the new jersey state troopers hey did you hear about so and so and this candidate and that candidate. but now what i'm seeing about twitter is it is a new form of dirty tricks and it's all done behind these anonymous accounts, so it does create some very big -- >> charnel problems, too. they had a lot of misinformation that actually was not part of the case and so they tried to get in order not allowing the jurors access to trigger or the

ability to tweet. martha stewart immediately created a web site, expensive website about her daily doings to influence people's opinion in the case. as to make it does tend to come out and that this kind of the beauty and the difficulty of the web, but it does apply and when people break the law and, oftentimes they discover they are not as anonymous as they thought they were given our activities are lead and we leave the ip address behind it's like leaving a fingerprint and so when people do defame another person or break into servers, often times they do get tracked down based on the fingerprints they left behind. islamic let's jump to the next -- she had her hand up down

further here. >> when i'm going to ask ties starkly in to that. where i work recall that the notion of security if someone is looking to find you they generally can through technical kernan six and that sort of thing but my question is to go on the distinction between what an employer might be looking for on the job that you are representing your employer or organization of around-the-clock 24/7 to provide would like to hear your thoughts on what has just broken as a news story with u.s. army troops and the issue of the firewall video and whether you see the distinction between this being armed forces and with the greedy and is going by people from the armed forces

to people involved in the private industry in this sort of where that line moves so the whole question of whether or not 24/7 is a representation of their organizational affiliation >> do you want to jump in? anybody? >> i was in his later security conference and was basically offline. islamic there was a video of that. >> that shouldn't prevent court-martials and so forth. what about -- here is one of the issues that comes up. here's the video that was posted on the ex-husband that the court did not admit someone shooting ronald mcdonald in the face. if i worked for a company may be

some of the people, customers wouldn't let that i still would allow it to be kept private. i would say you should have privacy settings because clients didn't like women lawyers. we've gotten over letting the customers run what competent people in their jobs can do and so i am completely comfortable having those off one at who might make bad decisions and we are seeing some movement in that area. for a simple, employees can't discriminate against you based on your genetic makeup, but the eoc said they can't go on your facebook page and see if you like the book cancer association were say i've got a doctor's

appointment for my covington's disease and so for. you can argue that companies might be benefited by having that and then can choose not to hire or promote employees who might cost them money on their insurance but social networks are off limits to employers in that setting. we have rules that the eeoc and national labor relations board said it's okay to say critical things about your boss on your facebook page or company if it's part of a lobbying effort to change conditions. so we have the backbone for protecting it. i don't think it is that big of a reach to see keep it off limits. >> i think the reality of the new world as we try to live on our smart phones and we'll always checking our e-mail, we are always kind of connected to

work and on the web when we are moving around we tend to move around with our employer attached to us and it's not true for everybody but where we work on facebook link in on twitter whether you see it as a good thing or a bad thing, we have come to represent and the attached to our employers all the time and so i think this is a part of the education is you have to think about that. there will be repercussions for what you put out there, and he might be fired some people need to be cognizant of that in their decision making and what they do online. >> at the new york times when i was the social media editor there was a big question is should we allow journalists to go out there and post on or

should we impose all sorts of restrictions in the rules? what we realizes we have lots of rules of the new york times. we have an ethics and guideline book like this. our journalists know in your yard so you shouldn't say, you know, i love sarah palin when you are a journalist at "the new york times" so i think there are many guidelines and rules that exist out there and we need to not necessarily make up new ones, with the most important thing people need to remember when they use these tools is what your mother told you, good judgment show good judgment i

did what about school boards across the country in of the guidelines for teachers on facebook, because for many teachers the decision to friend a student or not is a decision are making all by themselves and if he's been getting teachers in trouble it might sound fascinating some teachers unions fought back against these guidelines. they saw them as being too restrictive of freedom of expression and there was a dispute over the proposed law in missouri however some unions salles this guide lines as kashmir said in this period of flux as the guidelines that really protected educators and

helped them understand what was appropriate and what was not appropriate to say and do on the social network. >> you mentioned about 70% have all of their privacy protected. to me that makes sense because the are the ones taking photos, getting drunk, putting it on facebook. so as those people start their own start-ups and become the business force in america where do you see the law coming from and the change to start from and because they are studying their own jobs and we have a different opinion of things, don't you see that our lives are trend's parent instead of being judged the system as a person.

>> i think some businesses on like "the new york times" white seen some of the younger lawyers having their web sites which legal character in a tv show they want to be, but new issues are coming up and when you were talking about but wider audience you have where employers are then saying we own your audience. you can't take them with you and so i think you'll have to face the intellectual property issues this generation has in terms of if you build up a huge following and change companies who owns that. if you have cbs thought,, you end up in may tiff with a television network as to whether you can take your followers with

you. >> i just wanted to say that i recently left facebook because every day i'm reading about some case where it's being used against people in the court, they incriminate themselves and they can't plead that fifth. i thought it was a key to the community and then my aunt got on their, my daughters, classmates parents, my mother-in-law. islamic you don't have to be their friend. [laughter] >> you don't want to see my house at thanksgiving. but he said it would be nice if there was a big reset button you could push. yeah, that would be nice.

but facebook -- they don't want to make that button and i can't pressure them to. the only thing i can do is quit or i can have three friends and maximize my privacy settings and scrub three years worth of data so i see nothing wrong with a law telling us facebook come you have to give people more control. >> this seems to be the heart of the question is the market dictate what privacy should be in the future or should there be more legislation jurisprudence. do you have thoughts addressing that? we all need that. estimates often the response of that is if you don't like it, if you feel like the privacy is being violated than just quit to read in one way that's a valid and another room. this difficult because we have built networks and it's a way people communicate so if you are not there you can't communicate.

but i do think that this is evolving and if we find that there are more down sides to being on facebook than there are upsides then people will leave and i think that will happen. there are some people that decide to quit facebook and a lot of them come back. it's hard to live without facebook fighting gib there is a reset button that you deleted your account and when you come back you can start fresh and rebuild. some get used to be that facebook kept your information where now the center makes them if you quit, the lead within 30 days so that's an important aspect. i think we might see some alternatives to facebook coming up to go back to that original

idea. but i do like the saturday night live skit my mom is on facebook, where there's a computer program you could use of if you have a beer in your hand it turns into like a diet coke and if you are naked it turns into a t-shirt that says i love my mom. [laughter] so we do need the know my mom is on facebook. i have a son of 23, my son is on facebook. notte river has their own youtube channel. >> for parents if your kid is on because there's a lot more content that can be created there on some of the other networks. >> there's been friendster. my feeling is facebook is more entrenched.

it does seem to appeal to some of different generations that is dependent on your generation also being drawn to facebook but there are so many different social networks there are other places you can dakota -- can go to have a private space. there are more social networks so people can start doing different things in different places, and that way they can sort of keep their identity somewhat separate. spec i've been alerted there are five minutes left. you get social capital to estimate a similar situation. if we go back far enough, health care and your private information about your health was not necessarily restricted by law, yet hippa cannot in all of that information is prevented by law to be released. why couldn't a similar situation be developed here ought what is different you are providing the

information per say on facebook where the health information is when you go to a hospital or doctor's office yet that is pretty tightly controlled and i think really effective. couldn't something like that be implemented in the situations? >> it could be and especially now we are seeing an overlap where people post information. the type of information people post are the type of information about coming you know, relationships, sexual become sexual preference, political and trust and so forth that in the past we have most stringently protected under privacy laws and so there is an argument that you have an expectation of privacy in facebook because you have different people. it's not like reading about this on a bathroom wall. you get the impression that you are talking to smaller groups and so i do see the privacy

evolving to cover social networks. >> i think it's very ironic that once the data aggregate the large commercial dalia and lots of companies making money with those but nothing is done for people that are concerned with or where there originate. i remember of the department of sales certainly soared on what kind of cars people alone. this was before facebook, etc., and i thought it was an outrage at that time. so the point is how about the commercial aspect of the ownership of the data. don't they belong to me instead of the company that sells it really? shouldn't they ask or pay me for

that? what the value doesn't actually have at my level? >> there is a company in great britain that allows you to process from dave aronberg leaders and if it is like part of a fence you get each -- >> if i say in order for me to sell certain data about myself you have to pay me a thousand dollars a year or what ever is then maybe to slow that process down. >> one reaction to that is there or a lot of things you get for your data. you get free media content, you get to use google to provide you think we are giving up a lot data for these online services that are free but they are not free. the data is what you are paying

for those services. >> i think if you are aware of it might see ulterior facebook. do you need a company that makes 2 billion a year on the display or could some other group of twentysomething create something where they make little less and you have little more privacy protection and get the benefit of a -- >> next question. >> i think the vocabulary likeable law isn't really suited to this problem and the question as protection against the use of information. i will give you an example. a lot of the conversation has been well, you can protect yourself. you actually can't protect yourself because anybody can put that information that we would normally consider private and we don't want to suppress that with freedom of speech. by way of example one of my classmates from way before any

of this has scant letters and photographs and so forth from high school and put it on the web. [inaudible] >> i'm sure you're always professional. >> and the photographs that go up maybe put up by one of their friends, not by them. >> i do think facebook and these other services have made changes in the last year, important changes in the right direction and one of them includes tagging where people cannot just tagged you without your permission to revise the mick on the other hand they developed facial recognition so automatic tagging so facebook said is in this great and to give an example now

a bride doesn't have to tag everybody in the wedding if she had to taguba ready, you know, maybe they wouldn't attend the picture of you having the saki balm or kissing someone else's wife, it's automatic. you can untie yourself. the technology i've been reading with the technology is going and for the technology where the idea is ayes or picture with my smart phone and it tells me every dating site you are on on tumbler and what you listen to -- >> we can't control what people say about us. what's different now is the can see it in a place they can have a huge audience and that's really the difference. >> and the people that were telling it to don't know other things about you that you are

really irresponsible person and so forth and so the world audiences something different. islamic i've been trying to hide the fact i have a ball cut for years but i can't now. >> i was going to say and rural america one of my friends to you really smart story and i wonder if there is a place we could put a link after this so that you might be able to see some of the pieces and articles and issues and things. in a small towns across america there is a social network that not many people know about here in philadelphia or new york or boston where it's nasty and many of these small towns because they don't have real identity and people are saying all sorts of -- >> and if you are married and want to have an affair one of my friends went to a remote area of

michigan after his father died and he went on this web site for that area and found all these people that he ran into in the post office and so forth advertising to have affairs so more may be happening with social networks. >> final question over here. >> i would really love to end on a positive note. i resonate a lot with what kashmir has to say, and positive benefits of social media are tremendous pull we're talking about as negative behavior that has a lot of psychological ramifications. but yet what about the positive be fair? i'm a social media administrator and fraud investigator, so i can see both sides of it. the connections i've made to build my professional life in addition to my personal life are just enormous and i would love to have a conversation about the

positive benefits. >> and the degree we two endowment node is extol, you have 15 seconds. extol the virtue of the social web inlet fervor format you choose. >> look at what happened in the last year in 2011. it started in tunisia. we saw what happened in egypt. it's not just social networks protesters in the box and, the head of the ticket photograph of what was happening to them and their ability to transmit that around the world helped save them at some difficult and dark moments and then what we saw with occupy wall street where the horse has left the barn. people are documented their experiences,