November 16, 2004

Reports You Won't See - A Survey Of Censorware Cryptography

[Another Censored Censorware Report]

Having examined more censorware internals than anyone else in the world, I've considered there might be an interesting academic survey paper describing the encryption algorithms employed various programs. It ranges all the way from the trivial encryption of "XOR" with a single byte (the original version of CyberSitter), to the full-blown Data Encryption Standard (DES). Of course, using the power of the Data Encryption Standard algorithm doesn't help too much when they give out the key in first place if one knows where to look.

Digression: During the DMCA exemptions testimony, when censorware company representative David Burt was taking the tactic that no American military was in Iraq no censorware decryption had been done, I thought of replying along the lines of "David, does the string [recite N2H2's private decryption key] mean anything to you?". But sadly, as a mere PR flack, he probably could have truthfully answered that the random letter/number combination which was N2H2's private decryption key, did not mean anything to him (and I couldn't remember it right then anyway).

But in terms of lawsuits, this isn't playing with fire, it's playing with WMD's (Weapons Of Mass Destruction). Or Lawsuits Of Massive Damages. A few years ago, when CyberPatrol sued two programmers, they opened with a $75,000 damage claim. Remember, that was just the start. These days, given the success of the music industry litigation tactic of loading up on claims of huge damages, gallows humor is whether a censorware lawsuit would confine itself to claiming mere millions of dollars, or go for billions of dollars.

Let's recall, even the DMCA 1201(g) research exemption is full of wiggles such as:

... the person made a good faith effort to obtain authorization before the circumvention;

[elsewhere] ... whether the information derived from the encryption research was disseminated, and if so, whether it was disseminated in a manner reasonably calculated to advance the state of knowledge or development of encryption technology, versus whether it was disseminated in a manner that facilitates infringement under this title or a violation of applicable law other than this section, including a violation of privacy or breach of security;

... whether the person is engaged in a legitimate course of study, is employed, or is appropriately trained or experienced, in the field of encryption technology; ...

There's almost a paradox here, in that low-hanging research fruit is likely snapped-up already by high-ranking researchers, leaving hard foraging for those further down the ranks. But that's exactly the sort of work which is going to involve more risk, yet at the same time apparently has less legal protection, because one almost needs to already have good formal credentials ("appropriately trained or experienced") in order to qualify in the first place! (i.e., want a job, get some experience, want some experience, get a job).

A paper which does very little for me personally, but has a reasonable chance of pauperizing litigation, yet I have no organization backing, is all a losing proposition. I am chilled.

By Seth Finkelstein | posted in censorware , legal | on November 16, 2004 11:59 PM (Infothought permalink) | Followups
Seth Finkelstein's Infothought blog (Wikipedia, Google, censorware, and an inside view of net-politics) - Syndicate site (subscribe, RSS)

Subscribe with Bloglines      Subscribe in NewsGator Online  Google Reader or Homepage


write it... publish it... then run. It will be exciting and we're bound to get you legal protection if you need it. Think of it as adventure tourism of a sort. (all of this is moot if you have young kids...)


Posted by: joe at November 17, 2004 08:13 PM

Run where? Who is the "we" which is supposedly bound to get me legal protection? Especially given how little support I've gotten since literally day one of my censorwarware decryption work.

Posted by: Seth Finkelstein at November 18, 2004 09:54 AM

Publishing rather abstract algorithms without actually naming the companies could do the trick, couldn't it? Most of them wouldn't be able to find out which algorithm in the description is theirs.

Why are the filter list decryptable at all? If I would write such a beast, I'd use cryptographic hash functions and a wide range of URL normalization functions. In this case, the only effective way to recover the list would be your own extensive URL list.

Posted by: Florian Weimer at November 18, 2004 05:59 PM

Without details, it's both less interesting, and almost impossible to peer-review.

The hashing point is in fact a potential aspect of the discussion. There's aspects of some censorware internal architecture where it isn't clear if something is designed that way because there's a complex implementation trade-off, or they're just dumb. It's not like I can have a design review chat with the people working on it :-).

Posted by: Seth Finkelstein at November 18, 2004 06:36 PM