Mark Twain’s ghost haunts copyright history

After years of toying with the idea, Kash finally convinced me to write up the bizarre copyright story that started seven years after Mark Twain’s death, when his ghost reportedly dictated a new novel, via Ouija board, to Emily Grant Hutchings. His publisher said: well, if Twain wrote it, we own it.

So the more firmly they insisted Twain himself was behind the work, the more they strengthened the Twain estate’s copyright argument that it, as the owner of all things written by Twain, owned this book, too. And Twain had a deal with Harper & Brothers that gave it the sole rights to publish books by Twain, so Hutchings and her publisher would have to produce credible evidence that he wanted to break that deal in his afterlife.

They just don’t make them like this any more. I’ve been pretty happy with the reception this piece has gotten, too, including a write-up by Techdirt and the lead spot in the Paris Review’s link roundup this week.

NYPD denies records of copyright communications it had previously acknowledged

A few media outlets reported last summer that the NYPD, in its continuing efforts to crack down on the sometimes-annoying costumed characters in Times Square, had asked Disney and Marvel to initiate copyright action there. Disney and Marvel didn’t bite. I requested the communications (or records thereof) under New York’s Freedom of Information Law, and got told — months later — there were no such records. Strange.

I wrote the whole thing up for Techdirt this week:

Unfortunately, the nature of frustrated transparency efforts is that we don’t really have the answers. If the NYPD had promptly responded that it had no such records or would be withholding them according to a particular exemption, or even if it had given me a limited set, we could close this case. As it stands, we don’t really know anything more about the NYPD’s bizarre efforts to jam its “quality-of-life” issues into an ill-fitting copyright enforcement box.

Generative tiled watercolors and live south Indian music

A few weeks back, Gautam Tejas Ganeshan invited me to display selections from the Pomological Watercolor Collection behind his performance at San Francisco’s Artists’ Television Access space. I jumped at the opportunity, but stressed a little at how I was going to present them. I didn’t want to do a plain old slideshow, and I didn’t want to do anything that looked cheesy.

A few days later I had the idea to draw a grid of tiles, some of which were blank and some of which had watercolors, and play the Game of Life with them. Pretty immediately I ruled that specific plan out—it’d require a large grid, and the paintings would be too small to show any detail—but I was intrigued by the idea of flipping tiles between blank and fruit images.

The result is a little program I called pomtiles.1 It generates a series of frames with grids of between 2×1 and 3×3 tiles that each show hand-selected colors or randomly picked images. The frames are suitable for stitching up with a program like ffmpeg into a single video. The one I displayed tonight, embedded below, hangs on each frame for 12 seconds and has no accompanying audio. Suitable for being in the background at a party, perhaps.

It worked really well in context. Gautam’s music demands a lot of attention, and the images complement that nicely—something in the periphery that is not too challenging, but a nice spot to focus your eyes. The concert ran for a bit over two hours, so the three-hour video didn’t even have to loop.

Of course, there are a few things I’d have done differently if I’d had a little more time and expertise. Most would have given some more consistency to the rules, but then probably nobody cared about that but me. Some aspects feel unfinished—like the fact that individual tiles can be modified multiple times between displays, say, or that changes to the rows and columns always happen on the right and bottom side—but the video worked well.

In any case, the Python I wrote to generate the tiles is now online and dedicated to the public domain. It’s a little janky in places (written with my objectives in mind), but if you want to run it and need help, just let me know.

  1. This is the project that I learned how to mat images for, which has already benefited @pomological. []

New square backgrounds for @pomological

I’m happy to say I’ve fixed the most frequent complaint I’ve gotten about @pomological: the images, while great, are overwhelmingly in the portrait orientation, making the preview images on many Twitter clients—and especially—kind of lousy.

No more! Beautiful squares on a color hand-picked to match most of the painting backdrops.

To address this, I had to learn a little about pillow, the leading Python image library. Now, when the bot downloads a random image from the watercolors, it draws a new neutral-colored box that’s a little longer than the painting’s longest side, and pastes the thing in the center of that.

The hardest part was ensuring the resulting image was in a format that Twitter can understand—especially because this is one of the handful of things that changed in between Python 2 and 3. But I persevered, and read a lot of documentation, and now it’s live.

Amazon backdoor exposed wishlist mailing addresses

There’s an article circulating right now about how Amazon customer service can be exploited to reveal targeted mailing addresses. I discovered and reported a similar vulnerability in December of 2014, which was reported to me as fixed in May of 2015. I haven’t publicly documented that process until now.

The vulnerability I discovered relates to Amazon wishlists. Users can associate wishlists with a private address, so that people can buy and ship them gifts without having the recipient’s private information. That address should be kept confidential throughout the entire process, but I found that third party shippers—routinely used for Amazon sites outside of the United States—would sometimes include it in confirmation emails.

In particular: I used to send a book to a friend, and Canada Post delivered her full address to me in an email. In this exchange, Amazon’s confirmation email properly showed my friend’s address as redacted, but Canada Post revealed it in its entirety.

Amazon confirmation

That would be unacceptable in any circumstance. But it’s all the worse because some of the people who use Amazon wishlists are especially vulnerable to targeted harassment. The service is popular, for instance, among camgirls and sex workers accepting gifts. I’ve also seen wishlists from Twitter microcelebrities, who get occasional threats and unwanted creepy overtures, as well as wishlists from women who are trying to get some support after leaving an abusive domestic situation. For many of these people, a revealed address can be devastating.

I contacted Amazon Security via email,1 and got a confirmation number and a response from a human that it had been assigned to somebody. The fix, introduced in May, seems to simply removed the second confirmation email direct from Canada Post.

My email to Amazon Security

Amazon Security fix

Although the five month window to fix this situation seemed too long to me, I didn’t want to go public until it had been addressed. An attacker who knew about this vulnerability could easily exploit it for the cost of the cheapest item on a particular wishlist, and the only fix a user could make was removing their address entirely.

Given that particular combination—easy, cheap exploitation, and no alternative path to security—it seemed irresponsible in this case to disclose the problem publicly. Others may disagree.

This isn’t the first time wishlists have inadvertently leaked address data—it happened at least once before in 2011. Nor do I know for sure that the fix has been applied worldwide, as I only tested in Canada. Unfortunately, for people who could face threats if their address were revealed, Amazon seems like a dangerous service to share it with.

  1. They make a PGP key available, but only distribute it over unauthenticated HTTP. All the more reason Amazon should switch to entirely HTTPS. []