[I wrote this in reply to a discussion about the FBI Almanac Alert story, for Dave Farber's list. It was replying to Hiawatha Bray (a Boston Globe reporter), commenting "I may be reading too much into this, but it suggests to me that they've been tipped off that the bad guys like almanacs. Some Guantanamo inmate probably gave it up under questioning.". Interestingly, my message didn't get passed onto the list, but his response to it did.]
Subject: Re: [IP] FBI Issues Alert Against Almanac Carriers
It would seem, with the reach of the IP list, that someone here is likely to have received a copy of the alert. Perhaps they could share? So we don't have to discuss it working from what might be selective excerpts?
But underlying the debate is a question as to whether the information actually does more harm than good. Here's a thought experiment to make it clearer:
Suppose some Guantanamo inmate gave up under questioning the following intelligence:
"We really liked using the New York Times crossword puzzle for a 'book code'. Of course we used the clues, not the answers. Think about it - using the first word of the clue, it's a list which is all nicely numbered, so that means no errors in counting out which word corresponds to which number. And pouring over it doesn't look suspicious. Moreover, just about everywhere, you can easily get a copy of the day's New York Times. So it works as common codebook between different cities and even different countries."
Useful info? Maybe. But would it do any good to issue an alert saying in part "Take into account any interest in the New York Times crossword puzzle?" (note not the Boston Globe crossword puzzle, or the Washington Post crossword puzzle, etc.)
From one point of view, it's another piece of information. But the problem is that it's such a common activity, there's also a very high chance that it'll be part of creating false positive.
Or, more bluntly (no offense meant to Hiawatha), this is the problem of "The criminal suspect is described as an African-American male".
[N.b. Hiawatha Bray is an African-American male, hence my no-offense comment.]
[I wrote this in reply to the message message on Dave Farber's list about not being able to connect unpatched Windows PCs to the net because they instantly get infected by Microsoft worms. But it apparently didn't make the cut]
Subject: Re: [IP] Microsoft's festive advice: Don't plug our PCs into the Web
> But as Simon Moores, an internet consultant, pointed out yesterday, the
> software giant's admonitions "place the world in a catch-22: you can't be
> sure that it's safe to go online unless you connect to the internet and get
> a huge file of security updates from Microsoft, and new anti-virus files -
> which are also only available online".
Every time I see something like this, I think there is a great evangelism opportunity in having a bootable Linux CD which is optimized for naive users to use to go online to download fixes and updates from Microsoft. Take the idea of a "rescue" disk, and expand it to "rescue-from-Microsoft" CD.
I can see it now: "Oh, you have a new PC - here, take this "rescue-from-Microsoft" disk. You'll need it to go online without being infected by Microsoft viruses in the first place. Why do you need it? Well, let me tell you a story ..."
[I had cc'ed this to someone, and they asked if it was in fact feasible. I replied per below]
I believe so. Bootable Linux CD-ROMs have been around for ages, and then one would have to apply all the work which has gone into automatic configuration. It probably wouldn't work for every conceivable PC. But I think it should be do-able for the mass-market machines. Take a look at the "Linux Bootable Business Card":
The LNX-BBC is a mini Linux-distribution, small enough to fit on a CD-ROM that has been cut, pressed, or molded to the size and shape of a business card.
LNX-BBCs can be used to rescue ailing machines, perform intrusion post-mortems, act as a temporary workstation, and perform many other tasks that we haven't yet imagined.
It would seem to be a straightforward step to adapt this to something optimized for downloading Microsoft updates for new PC's.
There was an unexpectedly high amount of traffic to my website today, going to the page on Al Gore "invented the Internet". A small but notable blip. It seems the source was the remark in a NYTimes Paul Krugman column:
If a reporter must use anecdotes, they'd better be true. After the Dean endorsement, innumerable reporters cracked jokes about Al Gore's inventing the Internet. Guys, he never said that: it's a malicious distortion of a true statement, and no self-respecting journalist would repeat it.
He said it, I didn't :-). So I took a look what's repeated in the official Declan McCullagh biography:
"[Declan] McCullagh was the first journalist to question Vice President Gore's claim to have created the Internet ...
I suppose that's a slight improvement from the much earlier version, which read
... the first to question Vice President Gore's claim to have invented the Internet ...
I don't think the problem is quite about "self-respecting". A more accurate phrase might be "truth-respecting" (so many examples ...)
Jon Johansen has been acquitted again! (link credit - Lessig )
A panel of judges Monday cast aside the appeal that prosecutors had filed to a lower court decision handed down in January. That means the lower court's decision will stand, at least until another eventual appeal takes the case to Norway's supreme court.
The lower court had ruled that Johansen, now 20, did nothing illegal when he helped crack DVD copy protection codes in 1999 and then publicized how he did it. The prosecution had sought a suspended jail term, confiscation of his computer equipment and a fine of NOK 20,000 (less than USD 3,000).
This is great news. A win is always great news. It would have been very bad news if he had lost.
HOWEVER ...
This is NOT quite so great news as people will think, for two reasons:
1) Contrary to myth, Jon Johansen's DeCSS work wasn't the reverse-engineering of CSS. That part of the creation of DeCSS was done by an anonymous German.
2) With new more DMCA-type laws being proposed and passed all the time, being found innocent here, does not mean the next programmer charged, will be found innocent. That is, they'll just change the law. See my old post on Grokster, Streamcast copyright win, vs. LaMacchia case
Again, victory is good. But let's keep in mind what's been won - and what hasn't!
Perhaps I'm wasting an A-list notice, but Lawrence Lessig has a very nice post where he says:
I missed that Seth has a blog. He's been right about many things, but I think he's wrong about one thing: blogs are not just for talkers, for talkers have no time for links. The best blogs synthesize, and reflect. Not just news, but a way to triangulate, as Dave describes it. I hope he rethinks.
What I'm focusing on, is the issues of why people write, and trying to go past the basic point that some people write as a hobby. That is, we know some people enjoy writing, even if there is nobody reading. Which is fine. Just like some people like to spot the trains roll by, or watch birds, or be spectators for several hours while a few guys kick a ball around. There's nothing wrong with any of it, in my view.
But I think the conflation of writing a diary, which is for yourself and immediate circle, with reporting and commentary, which is primarily writing for other people, has been very confusing for the stock discussion of "What Is Blogging, And WHAT DOES IT ALL MEAN?"
Diary entries, press-releases, reporting, analysis - these all share an empirical characteristic of being frequent writing. But they don't all have the same functionality in terms of reasons to do them. That is, the motivation or reason to write a daily diary entry is not the same as a daily journalistic news roundup or analysis, even if both are "blog posts".
People who are in a writing business - that is, authors, journalists, lawyers, lobbyists, public-relations (I'm terming "talkers") - can benefit personally from doing a constant stream of writing. Even if the writing is given away, free, it can drum up business, get one's name out there, and so on. It's very rare to make money directly from a blog. But it's often useful to think of it as a form of personal advertising.
But I am not in a writing business. I'm not a "talker". By profession, I'm a programmer. After a while, it seems to make sense to ask "Is my writing of commentary, read by almost nobody, worthwhile"? What is this for?
Synthesizing takes time, effort. Can I ever, objectively, say "This isn't working" (for me)? Ever? Or as long as there is one other reader in the entire world, is that the standard of "working"? Note for diary writing, one might say that the definition is purely internal, and it doesn't matter if there are zero other readers. But again, I'm uninterested in keeping up a purely personal online diary.
So maybe writing frequent free barely-read commentary/analysis, just isn't for me. The easy answer is of course to say, yes, keep spending the time, keep putting in the effort, nose to grindstone, shoulder to wheel, etc. But this is not useful. Of course if there's one interested reader in the world, that reader is going to say they're happy to read it, it's almost tautological. An answer which isn't a platitude has to consider that it's not costless to do this. This connects in a deep way to the idea that "Punditry is not democracy". We aren't all going to be reporters/commentators, even if only simply because we all can't afford it.
Cake tastes great. But not everyone is eating cake, more like bread crumbs.
GrepLaw has an interview with me today:
Seth Finkelstein on Censorware, Copyright, and Blogs
http://grep.law.harvard.edu/article.pl?sid=03/12/16/0526234&mode=nocomment
It's over 6,000 words long. Of course, I think it's well worth reading. But I'm biased there.
The topics range over censorware, copyright, DMCA, free-speech activism, committing bloggery, and more. I went on at length. So even if you've heard me say it all before, it might be worth a look just for the collected edition.
[Update: URL now goes to archived text on my site]
I'm going to slow down on blogging. It's just not working for me. It's taking too much time and thought, for too little return. For more than a year, I've tried to have something worthwhile every single day. But ultimately, I've only gotten to about one level higher than the generic diary. I'm repeating myself too often, regarding pointing out where I'm virtually off ranting in a little corner for all the good that soapboxing does, which is not much.
Real paying work is actually picking up, which is very good. I might finally get back on track from the train-wreck that free-speech activism has proved to be for me. And doing more Google investigations looks to be very attractive. Plus there's some essays I may want to finish.
Fundamentally, blogging is for talkers. The applications for blogging are mainly people doing journalism, commentary, sales, etc. - professional talkers who do it for a living, and diaries, which are nonprofessional talkers, who do it because they enjoy hearing the sound of their own voice (nothing wrong with that, in my view, but that's what it is).
I'm not abandoning this completely. But I need to ease up from a daily grind of doing it every day.
Worth skimming if you're interested in the topic:
ALA releases updated "Libraries & the Internet Toolkit"
The American Library Association (ALA) today released a revised and updated version of the popular "Libraries and the Internet Toolkit." The toolkit is the most recent addition to the resources available to assist libraries making decisions about Internet filtering in response to the requirements of the Children's Internet Protection Act (CIPA). The new toolkit can be found online at www.ala.org/oif/iftoolkits/internet or from the CIPA home page, www.ala.org/cipa .
A nice collection of information, very librarian-like. My website isn't mentioned in it anywhere. But they do point people to Peacefire and some other censorware investigations. It's OK.
Every so often, someone suggests that the American Library Association, or even myself, issue some sort of "lesser of all evils" evaluation of censorware. I have always thought that was a bad idea, for many reasons, including purely pragmatic grounds. Any such thing is going to quickly be promoted as an endorsement. Today an article Teacher resigns; allegedly looked at porn web sites demonstrates why:
Walker Schools Science and Technology Coordinator Wayne Robinson said a computer system, Bess, monitors all computers in the schools with Internet access. N2H2, headquartered in Seattle, Wash., produces the monitoring system.
"We use a filtering solution, which was deemed to be the best Internet filtering solution in the world by the U.S. Department of Justice," Robinson said. ...
The U.S. Department of Justice said no such thing. There was a study done for the U.S. Department of Justice, which also said no such thing. But that's the power of the press release.
Other (unintentional) good stuff :
"Our No. 1 priority is not about providing Internet access to the schools; it's about safeguarding the use of the Internet," he said.
Robinson said the software not only filters objectionable web sites, but monitors Internet usage, as well.
"Every time a machine has Internet access, a complete log is generated for the use of the Internet from that machine," he said. "It's a very extensive log. Every time there is a click of a button, that click is logged." ...
Although the schools are very well protected, some objectionable web sites will always slip through the virtual cracks, Robinson said.
"No software solution is completely fail-proof. I don't know if it's realistic to think that all objectionable sites can ever be completely blocked through any solution," he said.
Greplaw has an item
CNN article on growth of web porn, about
"CNN.com - Sex sells, especially to Web surfers":
posted by scubacuda on Wednesday December 10, @02:07PM
from the What-would-Seth-say? dept.
David Burt writes "This is from the study I released when there was still an N2H2, and it offers the most detailed look at the growth of Internet porn I am aware of. Since then, we've been acquired by Secure Computing, and I've been named PR Manager. Porn growth: 1998 14 m. pages, 71k sites; 1999: 25 m. pages,129 k sites; 2000: 48 m. pages, 242 k sites; 2001 62 m. pages, 311 k sites; 2002 177 m. pages, 887 k sites; 2003 260 m. pages, 1.3 m. sites.
Kathee Brewer, technology editor of porn industry news site AVN Online, makes a good point in the CNN article that David links to:
"[C]ritics of porn sites are attempting to blur the lines between law-abiding adult content and banned obscene material. "People can be easily led, and the mere twist of a phrase -- like substituting 'obscenity' for 'pornography' -- can have a profound effect on basically good folk who want to do the right thing but don't know exactly how to go about it."
What would Seth say? Well, that ...
I have more to say, but I've said enough for now.
Ed Felten asks Voting Machine Vendors To Do ... What?:
In today's Washington Post, Jonathan Krim reports on a new effort by the e-voting machine vendors to do ... something or other. The article, which is titled "Voting-Machine Makers to Fight Security Criticism", doesn't quite say what they're planning to do.
Ah, the wonders of the net, you can read the press release directly:
Companies Form Election Technology Council
ETC members will work together to raise the profile of electronic voting, identify and address security concerns with electronic voting, develop a code of ethics for companies in the electronic voting sector, and make recommendations in the areas of election system standards and certification.
Or, to translate:
Foxes will work together to raise the profile of farming, identify and address security concerns with farming, develop a code of ethics for predators in the farming sector, and make recommendations in the areas of henhouse standards and certification.
Clear?
Further:
You've really gotta wonder how a non-story like this got onto page 2 of a major newspaper.
Nope. It's the power of the press release. Just search Google News for others generated by that press release.
Deep down at the very end of the Lessig blog's discussion about the "the classic Declan" item (falsely characterizing him as favoring "ending anonymity"), Lessig himself makes a comment I found extremely interesting:
But this is all taking the wrong tone. Declan and I have had fun arguing since 1996. He jabs when he can; I when I can. He's plays well, even if sometimes fast and a bit loose. But I did entrust him with my job (in the spam bet) and I'm sure I'd trust him with something more sometime again. The only real point of all this is to say: whatever sensible strategy just now is to protect and extend privacy, I am not advocating the elimination of anonymity. So call of the dogs.
My view is that Declan "plays" in a kind of Beltway-pundit way. I once parodied it along the lines of the Barney Song ("I Love you. You love me. We're a happy family.") as:
I backstab you; you backstab me.
We're in politics in DC.
(I have more to the parody song, but I probably shouldn't post it)
But this really did seem to be his outlook. Like war is the sport of kings, lies are the sport of journalists.
I suppose this works if you can turn off the computer and go out for drinks, nobody really gets hurt. And maybe it's all even good for everyone, in terms of playing to their cheering sections. But if Declan decides that people facing lawsuits are a sandbox for him to play in, well, it's all fun and games until someone goes to jail - and that's not going to be Declan.
Sigh. Oh yeah, I got a blog!
("I'm a
Insignificant Microbe in the
TTLB Ecosystem")
[Update: Apparently the database hadn't yet fully ranked me when I looked - my true status is in fact ... Multicellular Microorganism
]
[Update2: Thanks to anonymous for telling me, my latest ranking ... Flippery Fish!]
[Update3: Broke into the ranks of Crawly Amphibian! But I think i've hit my ceiling]
[Update4: Back down to Flippery Fish. Yup, that looks to be my final approximate status.]
The issue that censorware requires control of people, not "filtering" of content, seems to at last be edging into awareness. Note the following interesting newspaper article:
Workers fight back with software that blocks Big Brother's view:
While the boss is watching for illicit e-mail and naughty Web surfing on the job, some workers may now be fighting back. ...
But employees intent on skirting company rules have a growing arsenal of weapons at their disposal to help them avoid getting caught with their digital pants down, including privacy-enhancing services that code messages, fake identities and "anonymize" online communications.
"Yes, there are different privacy technologies that can be used by people to prevent this from happening to them in the workplace," said Dov Smith, spokesman for Zero-Knowledge Systems Inc., a Montreal software company testing a new product, Freedom, that lets users communicate online using encryption and pseudonyms.
Psst ... BESS's Secret LOOPHOLE (censorware vs. privacy & anonymity)
I published that years ago now. (Almost) nobody heard. It did get used in the District Court CIPA (censorware) decision. So I suppose it wasn't a total waste.
I've been wondering if I can do any mathematics to figure out the reach or influence of Lawrence Lessig's blog posting "the classic Declan" (rebutting Declan McCullagh falsely characterizing him as favoring "ending anonymity."). Especially compared to Declan's hatchet-jobs. I can just hear it now "Look, look, behold the power of blogs. This person has a flame-thrower. Seth, you have a kitchen-match. That means you can fight fire with fire".
The "Technorati" blog index site currently ranks Lessig as #94 out of "1,323,388 weblogs watched". We're talking, drumroll,
Not the top 1%. Rather, again the top 1% of the top 1%.
There's the mathematics. That's A-list for you. The blog-blather is ludicrous.
Declan McCullagh gets a very strong condemnation today from Lessig.
I just submitted this to GrepLaw:
Lawrence Lessig has a long blog posting "the classic Declan", where he writes about being falsely characterized as favoring "ending anonymity."
"For Declan's statement has no relation to anything the article actually says. Read on if you'd like the proof, but the bottom line yet again: Declan is a brilliant writer, and excellent pundit. But he is more a bomb thrower than a careful reader. His readers should keep this in mind."
It's good that Lessig has the journalistic power to defend himself. I sure wouldn't be able to reach anywhere near a comparable audience (to either of them!) if Declan were to smear me.
I saw the flare-up in the "RSS wars" (the arguments over the format for conveying article headlines) today, no links out of self-preservation. And in a bit of serendipity, an article about Microsoft dominance strategy crossed my screen. I was thinking, it really is possible for everyone on the free/open side to lose. I've managed so far not to get really hurt by D've W'ner, despite my views of blog-bubblism, so I probably should say as little as possible. But the whole thing reminded me yet again in an unpleasant way of some of the issues in the old bad censorware politics. Yes, you can all lose, in terms of the cause, everyone, though of course some people can come out ahead on a personal level.
It's like watching a real Prisoner's Dilemma unfold. Nobody wants to say "You're right, we'll do it all your way, you're in charge". It's easy to dismiss this as personality or ego, but there's much deeper and more fundamental divisions.
Well, I have no particular solution. In fact, I'm just hoping I don't suffer from this posting, which is a measure of how little I can do.
To supplement the Jon Johansen (re)trial, the DeCSS history below makes good reading for those interesting in primary sources.
From: http://www.free-dvd.org.lu/css-chain-of-events.txt
- The Truth about DVD CSS cracking by MoRE and [dEZZY/DoD] -
------------------------------------------------------------
Date: 4th of November 1999.
By: [dEZZY/DoD], [MultiAGP & German dood of MoRE]
This document is written cooperatively by the two groups that independently and simultaneously cracked the DVD Content Scrambling System, in order to straighten out mass media confusion.
DoD -> Drink or Die: "warez bearz from Russia and Beyond"
MoRE -> Masters of Reverse Engineering
[dEZZY/DoD] alone is the author of DoD DVD Speed Ripper.
MoRE is a new group and they are the authors of DeCSS.
Lately, Jon Johansen of MoRE has been pretty much all over the news in Norway, though he had NOTHING to do with the actual cracking of the DVD CSS protection. Yes, it was MoRE who did DeCSS, but the actual crack was not a team effort, MoRE didn't even exist back when the anonymous German (who is now a MoRE member) cracked it...
Most of the papers chose a headline very similar to this:
"15-year old Norwegian cracked the DVD-code".
They probably did this because they wanted to make a big
Norwegian "Wooohoooo" out of it. This was also pretty much
the contents of the TV show "Vestfold-sendingen" where they
brought up matters from Vestfold, Norway where Jon Johansen
lives.
In most newspapers they vagely included the name MoRE, and that DeCSS was a team effort, but neither MoRE nor DoD liked the headlines. Jon's comment on this matter is: "I never told the media that I had cracked the dvd encryption. What I told them, was that we (MoRE) had made an app called DeCSS which would decrypt dvd movies and let them be played off your hd, or off dvdrs if you have a dvd burner. I always used _we_ and _MoRE_ when talking to them. I never said anything about me or my position in the group.
Now that the storm is over, I see that all they were after, was to get a big story. They even included some of "my" quotes, which I never said. When media starts making up stuff, it's really sad. I know that this has been done before in Norwegian media, regarding the cooperation between a computer group at my school and the school people in charge of the network. All I can say is that I'm very sorry that the media twisted my words, and even lied, to make it appear as I had done the cracking myself. I'm pretty sure that I will do everything to avoid the media in the future, but if I'm forced to talk with them, I'll have to get them to sign an agreement. Again, I apologize on the behalf of Norwegian press, and I hope that this document will make everything clear. The truth shall set you free."
DoD DVD Speed Ripper was developed by [dEZZY/DoD] at the same time as DeCSS. The first release of DoD's app (which came out a couple of weeks before the first release of DeCSS) did not work with all (WB) titles, like The Matrix. This was known by [dEZZY/DoD] at the time of his release. MoRE decided to wait until they could fix this. In short time, [dEZZY/DoD] solved the problem and MoRE's top coder/disassembler from Germany used that information to get DeCSS working with every movie before they released it, along with a GUI. DeCSS was then the first application which decrypted ALL dvd titles, since DoD had not released a new version to the public. How MoRE got their hands on the information by [dEZZY/DoD], seems to have something to do with the Linux community...
Why Drink or Die didn't want to release a new version so soon, was because warez sites nuke programs that are too close in release (minimum 2-3 weeks). Meanwhile when DeCSS came out, it caused DoD to delay any Windows release until a GUI version of their Speed Ripper was done. However, they released a Linux version of their ripper late October 1999. As for the new Windows version of the Speed Ripper, [dEZZY/DoD] has been very busy with his education and hence the ripper is extremely delayed.
[dEZZY/DoD] already got the idea of reverse engineering a DVD player for the CSS code back in late summer 1998. He was not able to do it at the time since he did not have access to a DVDROM. In the beginning of 1999, MoRE's German member also got the idea. [dEZZY/DoD] and MoRE's German member got CSS decryption code working at the same time (middle of September 1999), without having shared info (although they knew about each other). After [dEZZY/DoD] solved "the problem", MoRE's German member, as stated above, implemented these changes and added them to DeCSS for release.
Before DeCSS was developed and released, MoRE had already sent the source for the decryption to their contact in the Linux DVD community, Derek Fawcus <derek@spider.com>. This is the reason why one of Wired's news reporters was put on the case.
[dEZZY/DoD] also had relations in the Linux DVD community (who does not want to be mentioned), but decided not to release the source code publicly (at least not for the moment).
Enjoy the software!
- Jon Johansen [MoRE]
- anonymous German cracker [MoRE]
- [dEZZY/DoD]
Jon Johansen, one of the three people of a group creating the DVD decryption program DeCSS (note DeCSS history is not at all the common media portrayal of the lone teen cracker breaking Hollywood's codes, no disrespect intended), is now undergoing his second criminal trial. I just mentioned he's in fact one of three people in the group - the other two are staying anonymous. And as I say, it should thus be screamingly obvious why they are staying anonymous - including the German programmer "Ham" who actually did that particular DeCSS reverse-engineering.
There's coverage, of course. IP Justice has a nice press release, and a very good DeCSS Litigation Timeline. EFF has useful Johansen DeCSS case archives
Jon Johansen's been facing criminal prosecution for around four years now. My heart goes out to him on that point. A criminal trial is one of the most stressful things a person can face. And he wasn't the critical decryption programmer either, keep that in mind (again, no offense meant). People just don't get it, whenever I talk about how I don't want to go through something like that myself. It's an abstraction. They see him being made into a hero, at least getting a defense, and they tell me I'll be a hero too. But I've never, ever, gotten a defense, quite the opposite. The lack of support drove me to quit. And these sorts of risks are part of the reason.