August 27, 2008

My _Guardian_ column on Security by Obscurity = Ignorance is Strength

security by obscurity = ignorance is strength
http://www.guardian.co.uk/technology/2008/aug/28/security.law

Is research that uncovers flaws in transportation fare payment systems so dangerous as to justify censorship?

This is my reaction to the MBTA v. Anderson case, where three MIT students and MIT have been sued over their research showing security weaknesses in the MBTA subway fare system. I'm hoping my comparison of "security by obscurity" to the Orwellian slogan of "Ignorance is Strength" catches on. Happily, that comparison managed to make it into the title.

Blog bonus: My original draft had a paragraph "Some naive commentators have a ludicrous idea that there's teams of civil-libertarian lawyers on alert who scan the skies for the EFF-signal and then leap into the EFF-mobile to do battle. The reality may be heroic in its own way, but resembles battlefield triage far more than a bloodless inevitable triumph of good over evil."

But that either got cut for space or because the Batman references were too obscure.

[For all columns, see the page Seth Finkelstein | guardian.co.uk.]

Posted by Seth Finkelstein at 08:55 PM
August 03, 2005

Jennifer Granick on Defending Mike Lynn (Cisco/ISS router disclosures)

Read Jennifer Granick's inside account on the Mike Lynn case, explaining the legal issues regarding his disclosure of Cisco router security problems. Money quote (pun intended):

At the point that you get sued, or even charged with a crime, it matters less what actually happened and whether you did something wrong and more what it takes to get out of the case as unscathed as possible. It's sad, but true, that our legal system can often be more strategy than justice.

Core of the "interesting" legal controversy:

It seemed that Cisco was claiming that Mike's actions were improper because he violated the End User License Agreement (EULAs), which prohibited reverse engineering. So now I was having fun. I'm totally interested in EULAs and the circumstances under which they take away public rights that are otherwise guaranteed us. Usually, a breach of contract is no big deal. But increasingly in the tech field, we're seeing big penalties for what's essentially a contract violation. Under the Computer Fraud and Abuse Act, if you exceed your authorization to access a computer, you've committed a crime. Cases have said you exceed authorization when you breach a EULA, terms of service, or employment contract. Other cases have said that EULAs can waive fair use rights and other rights guaranteed under copyright law. Lynn's case presented the question of whether EULAs could subvert the legislature's express desire to allow people to reverse engineer trade secrets.

[Note - I've said this before, many times, but once again, here's more evidence that the types of legal risks I faced myself in investigating censorware were severe, and it was a very serious matter of extensive attacks combined with lack of support which made me quit censorware decryption research]

Posted by Seth Finkelstein at 11:53 PM | Comments (6)
May 01, 2005

PDF redacted text extraction works on Giuliana Sgrena Report

As is being widely covered, a report detailing the Giuliana Sgrena shooting incident was released in PDF form with "redactions" which could be removed by using common PDF tools to obtain the underlying text.

Again, what happens here is that the creator starts with a text document, then draws an image over the text. So, on the screen, it looks like the text has been blacked-out. But in terms of the PDF, there's the text, and then an image layered on top of it. Any tool which extracts text, such as cut-and-paste, or text driver, will ignore the redacting image. So, instant unredacted document.

While not quite the oldest trick in the book, this has been known for years, having exposed some spies some and confidential memos. I sometimes think curious people try it on every applicable document. My first reaction when hearing of this case was "Wow, that old unredaction trick actually worked on something nowadays?"

I wouldn't normally echo such a extensively reported item. But it gives me an opportunity to tell an extended activism-story about how well-known is the redaction trick (this involves two other people, one of whom I'm fairly certainly doesn't read my blog, the other who might but will be less concerned - so I've changed a detail or two). Let's say there was a certain report which was of intense interest to several people, and was available in a redacted form. So, what do I do the first time I get a copy of it? Look at it microscopically, and try to un-redact it ("Hmm ... `My consulting rates have been $[black bar] a hour' ... is that two figures under the bar, or three? Looks like three ..."). I load it into a PDF viewer, and see the standard black redaction bars which indicate an image layer, and try cutting and pasting around it. And I get text back, but the text is dashes. Whaa??? It's text. Is this some new security feature for redaction? I dig into the raw PDF structure (I can do that). I dump the data which goes into making text, going down into a low level, and it's still dashes. Suddenly, it dawns on me what the writer has done. He's overwritten the redacted words with text dashes, and then put the black image bar on top of them! I toss an unseen salute to the writer, who does know his stuff.

Months later, another activist says to me "Seth, have you seen so-and-so's report? It would be really cool if you could apply the PDF extraction procedure to it." Way ahead of you [name redacted], way ahead of you. Both of us. Now how about you actually read a relevant court case before giving advice about the risk of people getting sued.

I suppose I should end by saying I wouldn't want to be in the shoes of the person who created that Sgrena Report PDF file.

Posted by Seth Finkelstein at 11:59 PM | Comments (11)
January 18, 2005

findthemessage.com puzzle solution

Regarding the General Motors billboard puzzle http://www.findthemessage.com/ ("Find The Message"), Dave Winer writes:

Interesting puzzle from GM. More or less approximates the route I took from west to east. I even saw one of the billboards, but I don't remember where or what the word was. I thought it was weird enough to remember it. Anyway, this is the kind of thing the blogosphere should be able to solve in short order.

You don't need the blogosphere. Just an expert.

Solution in extended entry below, for those interested.


Solution:

"This is the last time you will ever have to feel alone on our nation's roadways ."

The data's in the publicly-available binary which runs the animation. http://www.findthemessage.com/map.swf

The full information is:

This | Bayshore Freeway north of Haven | San Francisco, CA
is | San Berdo Freeway east of Evergreen | Los Angeles, CA
the | I-10 Squaw Peak Hwy. north of Harrison | Phoenix, AZ
last | I-10 east of Geronimo Drive | El Paso, TX
time | 2601 S. Danville | Abilene, TX
you | I-30 east of Commerce | Arlington, TX
will | I-20 west of Industrial Loop | Shreveport, LA
ever | I-55 north of Old Pearl River Bed | Jackson, MS
have | Atlanta Hwy. (I-85) at Mt. Meigs | Montgomery, AL
to | I-20W east of McDaniel Street | Atlanta, GA
feel | I-20 1st west of Wheeler Road | Augusta, GA
alone | I-20 east of Broad River | Columbia, SC
on | 1811 S. Saunders St. at Junction I-440 | Raleigh, NC
our | I-95 1st south of Boulevard | Richmond, VA
nation's | New York Avenue west of Florida Avenue | Washington, DC
roadways | I-95 north of SR 72 | Wilmington, DE
. | 1535 Broadway @ 46th Street | New York (Times Square)

No encryptions were broken in the making of this post.

Posted by Seth Finkelstein at 08:22 PM | Comments (3) | Followups
January 14, 2005

Making Fair Use of cut-and-paste restricted PDF files

PDF files with usage restrictions often pose a problem regarding how to exercise one's fair-use right to quote excerpts. Back last March, I wrote about how to do "permission arbitrage", in a post "Making Fair Use of the Report on "Big Media" Meets The "Bloggers"" (there's a certain amount of irony there ...).

It seems as relevant now as it was then, so I'll repost it today.


[Repost]

Dowbrigade has sad comments on difficulty in making fair use of the Shorenstein Center report "Big Media" Meets the "Bloggers": (link credit Dave Winer)

The weird thing is the extent to which the authors have gone to make sure this milestone article in the academic history of the Blogosphere is unbloggable. Excerpts or selections of the text cannot be saved, or copied and pasted. The document cannot be converted to another format or saved as anything else. ... The selection below were typed out by the Dowbrigade, letter by letter.

It takes a very twisted view for a court to believe things like this do not impinge fair use rights ...

The encryption used here is well-known, and trivially within my technical ability to decrypt. But given what happened to the last guy who programmed about PDF files and decryption (the name Dmitry Sklyarov might ring a bell), I'll let someone else take the risk of an unquestioned DMCA 1201(a)(2) violation.

Instead, I'll note a very simple way to get usable text from the restricted file. Observe that printing is allowed. Now, one does not have to get fancy with OCR or images. Simply do a version of the "analog hole". The document can be printed. The printing process has the ability to print to a file. Use that option. That is, print the document to a file instead of directly to a printer. This produces a file in a different format.

There's a "Do not remove this tag under penalty of (DMCA) law" bit of code in that file, which handles the security for usage restrictions. HOWEVER, the text of the document itself is in the clear here! All that's needed is to make it more usable. So extract the whole text chunk from any line in the file where the line starts with a left parenthesis or ends with a right parenthesis (no text chunk has a segment with more than two lines)

That is, cough, I meant to say,

perl -n -e 'print $1 if (/^\(([^)]+)/ || /([^)]+)\)$/);' < shorenstein.ps

[I think I'm allowed to write the English statement, but in peril with the Perl statement, at least under current court precedents]

All done. You now have a file of text which, though not all that pretty in formatting, is quite amenable to cut-and-paste.

Does even this post violate the DMCA? Is it trafficking in "technology" that "is marketed by that person ... for use in circumventing a technological measure that effectively controls access to a work protected under this title."?

You guys at Harvard will defend me, right? Right? Right? ...

Disclaimer: No encryptions were broken in the making of this post.

[UPDATE (from March 2004): I found a simpler, better, procedure (all the following are standard Linux programs)

Use the program xpdf to generate the postscript print file. This program obeys the usage restrictions itself, but does NOT insert the usage restriction code in the generated print output.

Then use pstopdf13 to generate a PDF file from the print file (the default 1.2 version didn't work well, 1.3 works better).

This new PDF file is not usage restricted!

Then run pdftotext over this new file ... and presto, a pretty text version!

I'm really worried now ...
]

Posted by Seth Finkelstein at 09:32 AM | Comments (5) | Followups
December 02, 2004

Cites & Insights, December 2004

People sometimes argue to me that I underestimate the extent of where I'm heard. I tend to regard that argument as mere kind words (after all, well-wishers aren't going to say to me that it's hopeless, I'll never win). But every once in a while I do wonder about it.

I've learned that Walt Crawford is a "blockbuster" ("In the library world he's like Madonna, ..."). So I should note his latest library 'zine (not his blog) issue, "Cites & Insights" December 2004. And I'm mentioned (my links below, but emphasis in the original):

One quick note in a rare three-issue sequence. In Cites & Insights 4:12, I discussed the Sima GoDVD! box, which "enhances" video in the analog domain so that you can convert it to digital form to burn to DVD, and in the process appears to undo Macrovision copy protection (which works by degrading analog video in a specific manner). In the following issue, I noted a clarification from Seth Finkelstein to my presumption that GoDVD! couldn't be prosecuted under DMCA because it operates entirely in the analog domain: DMCA had a special provision to protect Macrovision even in analog cases. I commented that GoDVD! was still probably in the clear, because the DMCA clause discusses recording devices, and GoDVD! isn't a recording device. An October 13 post at Finkelstein's Infothought blog (sethf.com/infothought/blog/, highly recommended) quotes my full discussion, highlights the last sentence ("...it's just a video enhancement box"), and suggests that GoDVD! probably doesn't violate the letter of the law. "On the other hand, this looks very much like what a hostile judge would view as a loophole. Or at least fodder for a quick amendment." His conclusion: "Even if it's true now that the GoDVD! box does not violate the Macrovision section of the DMCA, I'm not optimistic as to how long it will remain true."

Leaving shameless self-promotion, the sections recounting the recent history of the INDUCE/IICA, and the by now typical chop-suey of copyright legislation, are extremely useful overviews. Walt writes in-depth coverage, but with enough context so that someone new to these topics will be able to understand it.

For something completely different, I have a comment on the following part:

I'm sure every Cites & Insights reader knows that any PC with any connection to the internet -- even a dial-up connection -- must have an active firewall as well as full-time virus software updated at least weekly. ... Or let your machine be used to attack other machines and spread spam even further, while taking most of the CPU power you're paying for. It's your choice.

As the saying runs: Remember: it's a "Microsoft virus", not an "email virus", a "Microsoft worm", not a "computer worm".

Linux machines do need firewalls for additional security. But these days, it's almost to the point that before I'd use a Microsoft program for email, they'd have to pry my keyboard from my cold dead fingers. Quite seriously: The need for full-time virus software is not a fact of life, it's a fact of Microsoft. There's reasons for that, design constraints and deliberate decisions which favor convenience over security. But those decisions have costs. I've long conjectured that one of the best selling points for Linux, in terms of just a little concrete detail which may be worth more than any abstraction, is the sheer relief of not having to worry about the @#$% Microsoft Word viruses and Microsoft Browser security holes.

Posted by Seth Finkelstein at 11:59 PM | Followups
August 28, 2004

The No-Fly List and Think Like A Terrorist

Responding to my post "Data corruption attack on terrorist no-fly list?", Ernest Miller comments:

As amusing as that thought is, however, the real question is why would terrorists want to do this? Why would they want to flummox up a mostly ineffectual system that give the illusion, but not the reality of security? Sure, it might increase the costs of the system, but would it be worth it?

I reply: Think like a terrorist! (not a techie). Let's say, in the standard sort of nethead framework, that the silly security system is fooling those sheeple of the general population. Bovine-like, they are led and lulled by the shiny objects and pretty blinking lights. We are just so smart, we see through it, can't fool us, no siree.

But ... the terrorists, they're smart too. They know it's all a sham and political posturing. They also know that we smart people know it's all for show. So they don't *want* the general population to have the illusion of security. After all, if the general population has the illusion of security, then they're not terrified - and the terrorists have lost! Moreover, the beneficiaries of such illusions are the current government, which is exactly the opposite of a desirable situation from the viewpoint of a jihad-ist.

So flummoxing the no-fly list a "terror twofer". It embarrasses the government, and can be used to disrupt the travel of even high government officials. Think of it: a few plausible-deniability entries, corrupting a list, can throw a senior Senator's (or Representative's) schedule into disarray and personal frustration. And then cast doubt on the quality of whole data set. It's an incredible return on investment of a very low-level operation.

The conclusion is inevitable:

THE NO-FLY LIST IS A TERRORIST PLOT!

[Just to be clear, since this is the Internet, I have to break the mood and say that this article is written tongue-in-cheek. But feel free to take it seriously anyway.]

Posted by Seth Finkelstein at 11:31 PM | Followups
August 26, 2004

Data corruption attack on terrorist no-fly list?

[Written for Dave Farber's list, in reaction to John Lewis and Edward Kennedy on no-fly list. But it didn't make the list cut]

There's been much discussion about how difficult it is for someone to get OFF the no-fly list. But, from the opposite direction, what are the controls to put a name ON the no-fly list? The evident lack of validation suggests a very simple data corruption attack which could use the list as a terrorist weapon itself.

The idea is simple: Take a low-level operative, perhaps one who has outlived his usefulness. Send him on a mission that is likely to get him captured. The key idea isn't the mission himself. Rather, have him carry phony "valuable intelligence" documents, with faked ID's in various alias, to get those names added to the no-fly list.

Using an alias of "George Walker Bush" is probably pushing things. But then again, I wouldn't have thought "Edward Kennedy" would have had such an effect. How many security agents do you think would look askance at a fake ID with the name "William Rehnquist"?

There are endless variations of this game, depending on where the names are gathered. One could do standard double-agent tricks, of feeding disinformation: "To my intelligence handlers: Be aware of a change in tactics - given the recent publicity about members of congress on the no-fly list, our terrorist cell has decided that future operations will be done with fake ID's in the names of prominent, but not household-word, government officials. Be especially alert for anyone traveling under the names "Karl Rove" or "Tom DeLay", they're likely to be potential terrorists ...".

While this is of course a very old idea in general, the potential usage of the no-fly list, by terrorists, for creative disruption, has probably been under-examined.

Posted by Seth Finkelstein at 11:59 PM | Comments (1) | Followups
July 05, 2004

Censorware usable for blog Denial-Of-Service Attack?

Michael Froomkin relates a censorware experience with some interesting implications:

Since the supreme court cares about the quality of blocking and filtering software, it may be appropriate to report that SiteCoach, the blocking software used on the internet kiosks in the lobby of the Amsterdam hotel I am staying in blocks Atrios for using the f-word, and the Volokh Conspiracy for "Forbidden Keyword free sox". Actually, the "o" in that last should be an "e" -- I'd post it more clearely, but that would just ensure I couldnt access my own blog any more.

Hmm ... "couldnt access my own blog any more". Now, his blog has the style where excerpts from recent comments are displayed on the front page, using the first few words of the comment. Suppose, as a comment, on seeing this, a malicious person had posted "FREE SEX!!!". Then that phrase would appear on the front page of the blog. And perhaps trip the censorware. Moreover, if he tried to delete the comment, the editing screen would of course have displayed it, and hence also triggered the censorware (there might be way to generate a delete command without display, but most people would probably stop at the point where they were locked-out of the comment editing screen).

I didn't test this, err, directly. But likely there will be plenty of chances to see if it happens to someone ...

Posted by Seth Finkelstein at 11:59 PM | Comments (3) | Followups
April 14, 2004

"Insanely Destructive Devices" (IDD) and threat/response

[I wrote this in reply to the posting of the "Insanely Destructive Devices" article to Dave Farber's list. But it apparently didn't make the cut]

> Joy worried that key technologies of the future - in particular,
> genetic engineering, nanotech, and robotics (or GNR) because they are
> self-replicating and increasingly easier to craft - would be radically more
> dangerous than technologies of the past. It is impossibly hard to build an
> atomic bomb; when you build one, you've built just one.

When the A-bomb was first built, physicists were making bets on its destructive power. The Nobel laureate Enrico Fermi proposed a bet as to its causing a chain reaction which would ignite the atmosphere and destroy all life on Earth (the reporting of this doesn't make clear that he was obvious making a joke by exaggeration there, since if that were the winner, nobody would collect on it!) [ http://www.ninfinger.org/~sven/trinity/trin_brochure.html ]

From that auspicious beginning, there is definitely enough bomb-power in existence now to destroy civilization as we know it. That's just a fact. Maybe not all life on earth. But considering the worldwide disruption caused by a few hijacked airplanes (basically, well-targeted conventional guided missiles), hijacking a few H-bombs would be utterly devastating. You don't have to build it yourself. Just steal it. Or even buy it.

This is far less speculative than "gray goo" nanotech berserkers or gene-engineered super-viruses. Because it already exists. It's been "debugged". The engineering is there. We don't talk about it much these days, perhaps from issue-fatigue and familiarly. But that doesn't change the reality of it.

And if one wants to worry about diseases, antibiotic-resistant tuberculosis is a good one. And which is spreading now because of poor public health care.

I'm not disagreeing with the basic ideas put forth. But I think the argument would be more solid if it remained grounded in existing threats rather than speculative ones. Precisely because a speculative threat, supposedly unlike any we've seen before, could be argued to be so dangerous that it requires reactions unlike any we've taken before. I understand the whole point is to rebut this. I'm saying that bringing in the unknown is self-defeating in that regard, since by its very nature, "never before seen" can apply both to the threat and the response.

Posted by Seth Finkelstein at 11:58 PM | Comments (0) | Followups
March 07, 2004

Making Fair Use of the Report on "Big Media" Meets The "Bloggers"

Dowbrigade has sad comments on difficulty in making fair use of the Shorenstein Center report "Big Media" Meets the "Bloggers": (link credit Dave Winer)

The weird thing is the extent to which the authors have gone to make sure this milestone article in the academic history of the Blogosphere is unbloggable. Excerpts or selections of the text cannot be saved, or copied and pasted. The document cannot be converted to another format or saved as anything else. ... The selection below were typed out by the Dowbrigade, letter by letter.

It takes a very twisted view for a court to believe things like this do not impinge fair use rights ...

The encryption used here is well-known, and trivially within my technical ability to decrypt. But given what happened to the last guy who programmed about PDF files and decryption (the name Dmitry Sklyarov might ring a bell), I'll let someone else take the risk of an unquestioned DMCA 1201(a)(2) violation.

Instead, I'll note a very simple way to get usable text from the restricted file. Observe that printing is allowed. Now, one does not have to get fancy with OCR or images. Simply do a version of the "analog hole". The document can be printed. The printing process has the ability to print to a file. Use that option. That is, print the document to a file instead of directly to a printer. This produces a file in a different format.

There's a "Do not remove this tag under penalty of (DMCA) law" bit of code in that file, which handles the security for usage restrictions. HOWEVER, the text of the document itself is in the clear here! All that's needed is to make it more usable. So extract the whole text chunk from any line in the file where the line starts with a left parenthesis or ends with a right parenthesis (no text chunk has a segment with more than two lines)

That is, cough, I meant to say,

perl -n -e 'print $1 if (/^\(([^)]+)/ || /([^)]+)\)$/);' < shorenstein.ps

[I think I'm allowed to write the English statement, but in peril with the Perl statement, at least under current court precedents]

All done. You now have a file of text which, though not all that pretty in formatting, is quite amenable to cut-and-paste.

Does even this post violate the DMCA? Is it trafficking in "technology" that "is marketed by that person ... for use in circumventing a technological measure that effectively controls access to a work protected under this title."?

You guys at Harvard will defend me, right? Right? Right? ...

Disclaimer: No encryptions were broken in the making of this post.

[UPDATE: I found a simpler, better, procedure (all the following are standard Linux programs)

Use the program xpdf to generate the postscript print file. This program obeys the usage restrictions itself, but does NOT insert the usage restriction code in the generated print output.

Then use pstopdf13 to generate a PDF file from the print file (the default 1.2 version didn't work well, 1.3 works better).

This new PDF file is not usage restricted!

Then run pdftotext over this new file ... and presto, a pretty text version!

I'm really worried now ...
]

Posted by Seth Finkelstein at 04:05 PM | Comments (5)
January 27, 2004

"Howard Dean's 'smart ID' plan", and Declan McCullagh's "journalism"

Declan McCullagh's "journalism" sometimes resembles this old Bloom County cartoon:

[Scene: Declan McCullagh, err Milo Bloom, at reporter's desk in newsroom, on telephone]

Milo: Senator? This is Milo Bloom at the BEACON. Will you confirm that you sunk Jimmy Hoffa in your backyard pond?

Bedfellow: What? Of course not!
Milo: Fine. I'll go with "Sen. Bedfellow denies that pond is where he sunk Hoffa."

Bedfellow: That's NOT TRUE!
Milo: Okay. "Bedfellow DID sink Hoffa in pond".

Bedfellow: I DON'T KNOW where Hoffa is!!
Milo: "'I lost the body' says Bedfellow."

So, we have an article on how Senator Bedfellow sunk Jimmy Hoffa in the backyard pond, I mean, err:

Howard Dean's 'smart ID' plan
http://zdnet.com.com/2100-1107_2-5147158.html

Let me just collect some resources:

Howard Dean's actual old speech
http://www.security.scs.cmu.edu/statessecurity/WhitePaperWSSi.PDF
(no quotes, just read it to be informed - and interestingly, Declan does not give a link to it)

Andrew Orlowski - Who told Dean to scream for lock-down, TCPA computing?
http://theregister.com/content/6/35126.html
"So it's worth parsing what Dean really said, and on what basis McCullagh formed his stentorian, five cigar conclusion, before we can judge either party."

Ed Felten / Freedom To Tinker: Dean's Smart-Card Speech
http://www.freedom-to-tinker.com/archives/000503.html
"At bottom, what we have here is a mistake by Dean, in deciding to give a speech recommending specific technical steps whose consequences he didn't fully understand. That's not good. But on the scale of campaign gaffes, this one seems pretty minor."

Dana Blankenhorn - Wrong Time For A Cheap Shot
http://www.corante.com/mooreslore/20040101.shtml#67546
"Declan McCullagh picked the wrong time -- the day before an important primary -- to deliver a cheap shot at Howard Dean."

Etc. Everyone can run around playing catch-up. But the damage is done. Not (yet?) at the Al Gore "invented the Internet" level, but instructive all the same.

Personal note: Perhaps, from this if nothing else, some people will understand why I worry about a journalistic hatch-job on me for any legally-risky free-speech work I might do.


Update: Wow (he said it, I didn't!):

Dana Blankenhorn - Orlowski Nails McCullagh's Butt To The Flagpole
http://www.corante.com/mooreslore/20040101.shtml#67656
"I hereby call out Declan McCullagh. You are no longer a journalist, sir. You are a lying troll."

Posted by Seth Finkelstein at 11:40 PM | Comments (2) | Followups
December 30, 2003

Mathematics (false postives) and FBI Almanac Alert

[I wrote this in reply to a discussion about the FBI Almanac Alert story, for Dave Farber's list. It was replying to Hiawatha Bray (a Boston Globe reporter), commenting "I may be reading too much into this, but it suggests to me that they've been tipped off that the bad guys like almanacs. Some Guantanamo inmate probably gave it up under questioning.". Interestingly, my message didn't get passed onto the list, but his response to it did.]

Subject: Re: [IP] FBI Issues Alert Against Almanac Carriers

It would seem, with the reach of the IP list, that someone here is likely to have received a copy of the alert. Perhaps they could share? So we don't have to discuss it working from what might be selective excerpts?

But underlying the debate is a question as to whether the information actually does more harm than good. Here's a thought experiment to make it clearer:

Suppose some Guantanamo inmate gave up under questioning the following intelligence:

"We really liked using the New York Times crossword puzzle for a 'book code'. Of course we used the clues, not the answers. Think about it - using the first word of the clue, it's a list which is all nicely numbered, so that means no errors in counting out which word corresponds to which number. And pouring over it doesn't look suspicious. Moreover, just about everywhere, you can easily get a copy of the day's New York Times. So it works as common codebook between different cities and even different countries."

Useful info? Maybe. But would it do any good to issue an alert saying in part "Take into account any interest in the New York Times crossword puzzle?" (note not the Boston Globe crossword puzzle, or the Washington Post crossword puzzle, etc.)

From one point of view, it's another piece of information. But the problem is that it's such a common activity, there's also a very high chance that it'll be part of creating false positive.

Or, more bluntly (no offense meant to Hiawatha), this is the problem of "The criminal suspect is described as an African-American male".

[N.b. Hiawatha Bray is an African-American male, hence my no-offense comment.]

Posted by Seth Finkelstein at 11:59 PM | Followups
December 27, 2003

Linux evangelism opportunity from Microsoft worm/virus web woes

[I wrote this in reply to the message message on Dave Farber's list about not being able to connect unpatched Windows PCs to the net because they instantly get infected by Microsoft worms. But it apparently didn't make the cut]

Subject: Re: [IP] Microsoft's festive advice: Don't plug our PCs into the Web
> But as Simon Moores, an internet consultant, pointed out yesterday, the
> software giant's admonitions "place the world in a catch-22: you can't be
> sure that it's safe to go online unless you connect to the internet and get
> a huge file of security updates from Microsoft, and new anti-virus files -
> which are also only available online".

Every time I see something like this, I think there is a great evangelism opportunity in having a bootable Linux CD which is optimized for naive users to use to go online to download fixes and updates from Microsoft. Take the idea of a "rescue" disk, and expand it to "rescue-from-Microsoft" CD.

I can see it now: "Oh, you have a new PC - here, take this "rescue-from-Microsoft" disk. You'll need it to go online without being infected by Microsoft viruses in the first place. Why do you need it? Well, let me tell you a story ..."

[I had cc'ed this to someone, and they asked if it was in fact feasible. I replied per below]

I believe so. Bootable Linux CD-ROMs have been around for ages, and then one would have to apply all the work which has gone into automatic configuration. It probably wouldn't work for every conceivable PC. But I think it should be do-able for the mass-market machines. Take a look at the "Linux Bootable Business Card":

http://www.lnx-bbc.org/

The LNX-BBC is a mini Linux-distribution, small enough to fit on a CD-ROM that has been cut, pressed, or molded to the size and shape of a business card.

LNX-BBCs can be used to rescue ailing machines, perform intrusion post-mortems, act as a temporary workstation, and perform many other tasks that we haven't yet imagined.

It would seem to be a straightforward step to adapt this to something optimized for downloading Microsoft updates for new PC's.

Posted by Seth Finkelstein at 11:17 PM | Comments (3) | Followups
December 09, 2003

Diebold Electronic Systems And Ilk, Form Flacking Group

Ed Felten asks Voting Machine Vendors To Do ... What?:

In today's Washington Post, Jonathan Krim reports on a new effort by the e-voting machine vendors to do ... something or other. The article, which is titled "Voting-Machine Makers to Fight Security Criticism", doesn't quite say what they're planning to do.

Ah, the wonders of the net, you can read the press release directly:
Companies Form Election Technology Council

ETC members will work together to raise the profile of electronic voting, identify and address security concerns with electronic voting, develop a code of ethics for companies in the electronic voting sector, and make recommendations in the areas of election system standards and certification.

Or, to translate:

Foxes will work together to raise the profile of farming, identify and address security concerns with farming, develop a code of ethics for predators in the farming sector, and make recommendations in the areas of henhouse standards and certification.

Clear?

Further:

You've really gotta wonder how a non-story like this got onto page 2 of a major newspaper.

Nope. It's the power of the press release. Just search Google News for others generated by that press release.

Posted by Seth Finkelstein at 11:59 PM | Followups
November 23, 2003

Treacherous Xboxes - "Trusted Computing" and Xbox-ization

[I wrote this as a contribution to a discussion thread regarding "Trusted Computing" and whether the goal of that is to turn the PC into restricted console similar to the gaming machine "Xbox"]

Date: Sun, 23 Nov 2003 17:01:27 EST
To: dmca_discuss[at-sign]lists.microshaft.org
Subject: Treacherous Xboxes

Seth-DS, [David Schoen] I believe there is a slight disconnect between what you are thinking regarding the meaning of the phrase "not trying to turn the PC into an Xbox", and where "treacherous computing" is in fact trying to turn the PC into an Xbox. And this is leading to some talking-past-each-other.

There is indeed some subtlety here. That is, there are two senses where the above can be true. The Axis-Of-Copyright would like the PC to be an Xbox in terms of it being an appliance which is a dedicated terminal for their marketing. The vendors would like the PC to be an Xbox in terms of having it be restricted to running only approved, licensed, hardware and software. These are not quite the same thing. The subtle difference is, I believe, the only thing which is saving us from having TCPA platforms mandated immediately (see Broadcast Flag).

Both of these, however, are thoroughly inimical to owner control! Hence the users-are-enemies orientation you've noted yourself.

In either case, "Owner Override" is contradictory, so it won't ever be allowed.

Posted by Seth Finkelstein at 11:59 PM | Followups
November 07, 2003

Broadcast Flag - more strategies for fighting it with Open Source

More from the depths of the FCC ruling on the Broadcast Flag, from a partial dissent to the ruling. Note what arguments have a foundation of support, and where there's an opportunity to play to those issues (emphasis mine):

STATEMENT OF COMMISSIONER MICHAEL J. COPPS APPROVING IN PART, DISSENTING IN PART

We must remain vigilant during the interim procedures established today and work expeditiously to develop a longer term process that includes clear technical criteria with a transparent road to approval. That is one of the principal purposes of the Further Notice that we approve today. As we move forward, we must also be careful not to chill development of software solutions generally, particularly for beneficial purposes such as software defined radio ...

But I must dissent in part because I believe that we fail to protect consumer interests in important parts of the decision. I dissent in part, first, because the Commission does not preclude the use of the flag for news or for content that is already in the public domain. This means that even broadcasts of government meetings could be locked behind the flag. Broadcasters are given the right to use the public's airwaves in return for serving their communities. The widest possible dissemination of news and information serves the best interests of the community. We should therefore be promoting the widest possible dissemination of news and information consistent, of course, with the copyright laws.

Software and public domain. That seems to be the key.

Posted by Seth Finkelstein at 03:29 AM | Followups
November 06, 2003

Broadcast Flag - fighting it with Open Source

Down deep in the FCC ruling on the Broadcast Flag is the key to effective tech fighting of it (my emphasis):

VI. FURTHER NOTICE OF PROPOSED RULEMAKING

Although we believe that our adoption of a flag-based redistribution control system for digital broadcast television will further the digital transition and ensure the continued flow of high value content to broadcast outlets, further comment is needed on several issues. ...

In response to our Notice of Proposed Rulemaking, EFF questioned the impact of a flag based regime on innovations in software demodulators and other DTV open source software applications.138 The Commission has actively promoted the development of software defined radio and other software demodulators as important innovations in the digital age.139 We seek further comment on the interplay between a flag redistribution control system and the development of open source software applications, including software demodulators, for digital broadcast television.

This is the wedge which can be used to throw a monkey-wrench into the works (forgive that sentence). Or at least try.

Posted by Seth Finkelstein at 03:29 AM | Comments (2) | Followups
November 03, 2003

On Diebold: The DMCA Is An Anti-Freedom-Of-Information-Act

Inspired by all that's been going on with the Diebold Election Systems / Swarthmore story today, such as NYT: File Sharing Pits Copyright Against Free Speech, and Online Policy Group v. Diebold case archive:

People are told to think of the DMCA as an "anti-piracy" law. It's supposed to stop copyright infringement. But in terms of implications, the DMCA is an anti-freedom-of-information-act. It's turned into an all-purpose gag-order tool. The reason is stated to be infringement - but it's very easy for that reason to turn into an excuse. This is the exact same phenomena as when material is improperly classified as "secret". The ostensible reason is protecting national security, but too often in reality it's hiding government incompetence or corruption. Except that now, "copyright infringement" works much better in certain contexts than "national security".

Consider this - the process of voting is perhaps the most fundamental aspect of a functioning democracy. And yet, we're expected to accept that we are not permitted to check and monitor the mechanics by which the votes are being counted. It's "secret balloting", in a very negative sense! Rather than control the votes, it's control of the vote-counting machines.

Posted by Seth Finkelstein at 04:47 PM | Followups
August 25, 2003

DVD-CCA v Bunner, technical information, and public concern

This part of today's decision in the DVD trade-secret case, deserves special note. It addresses what the court considers the unimportance of "technical information":

DVD CCA's trade secrets in the CSS technology are not publicly available and convey only technical information about the method used by specific private entities to protect their intellectual property. Bunner posted these secrets in the form of DeCSS on the Internet so Linux users could enjoy and use DVD's and so others could improve the functional capabilities of DeCSS. He did not post them to comment on any public issue or to participate in any public debate. Indeed, only computer encryption enthusiasts are likely to have an interest in the expressive content-- rather than the uses--of DVD CCA's trade secrets. (See Tien, Publishing Software as a Speech Act, supra, 15 Berkeley Tech. L.J. at pp. 662-663 ["Programming languages provide the best means for communicating highly technical ideas--such as mathematical concepts--within the community of computer scientists and programmers"].) Thus, these trade secrets, as disclosed by Bunner, address matters of purely private concern and not matters of public importance. ...

Only "computer encryption enthusiasts"? Not "matters of public importance"??

Calling Ed Felten ...

Posted by Seth Finkelstein at 06:23 PM | Followups
August 22, 2003

Sobig.F virus and spam

[The context of this was a mailing list thread about an expected wave of Sobig.F virus attacks from certain sites in the virus data]

I ran the list of Sobig.F attack addresses through Google searches, both by address and by resolved name, to see if anything interesting could be found. The data and results confirmed what Rich Kulawiec had written about the connection to spamming systems. That is, there is a connection to spam systems.

At least eight of the sites appeared in various spam-denying log files from one place which makes such logs public.

Sites found:

12-232-104-221.client.attbi.com
218.147.164.29
cpe-024-033-066-038.cinci.rr.com
ip-24-197-143-132.spart.sc.charter.com
modemcable043.91-202-24.mtl.mc.videotron.ca
modemcable081.207-131-66.nowhere.mc.videotron.ca
pcp04447100pcs.verona01.nj.comcast.net
pcp694043pcs.anaprd01.md.comcast.net

Detailed data below

http://mailhost1.tudelft.nl/disnorm/ or http://mailhost2.tudelft.nl/disnorm/

[The last number is the number of hits of the site from that day, I think]

mailhost1-grep.2003-07-26 pcp694043pcs.anaprd01.md.comcast.net (blacklist) 1
mailhost1-grep.2003-07-29 ip-24-197-143-132.spart.sc.charter.com (blacklist) 1
mailhost1-grep.2003-07-30 12-232-104-221.client.attbi.com (proxies) 1
mailhost1-grep.2003-07-31 12-232-104-221.client.attbi.com (proxies) 1
mailhost1-grep.2003-08-02 218.147.164.29 (proxies) 2
mailhost1-grep.2003-08-02 218.147.164.29 (blacklist) 2
mailhost1-grep.2003-08-02 pcp04447100pcs.verona01.nj.comcast.net (blacklist) 1
mailhost1-grep.2003-08-03 pcp04447100pcs.verona01.nj.comcast.net (blacklist) 3
mailhost1-grep.2003-08-03 218.147.164.29 (proxies) 2
mailhost1-grep.2003-08-05 218.147.164.29 (proxies) 1
mailhost1-grep.2003-08-10 modemcable043.91-202-24.mtl.mc.videotron.ca (proxies) 1
mailhost1-grep.2003-08-11 modemcable081.207-131-66.nowhere.mc.videotron.ca (blacklist) 1
mailhost1-grep.2003-08-12 modemcable081.207-131-66.nowhere.mc.videotron.ca (blacklist) 2
mailhost1-grep.2003-08-12 modemcable043.91-202-24.mtl.mc.videotron.ca (proxies) 1
mailhost1-grep.2003-08-13 12-232-104-221.client.attbi.com (proxies) 1
mailhost1-grep.2003-08-13 pcp04447100pcs.verona01.nj.comcast.net (blacklist) 1
mailhost1-grep.2003-08-14 modemcable043.91-202-24.mtl.mc.videotron.ca (proxies) 2
mailhost1-grep.2003-08-15 218.147.164.29 (proxies) 7
mailhost1-grep.2003-08-15 cpe-024-033-066-038.cinci.rr.com (proxies) 5
mailhost1-grep.2003-08-15 modemcable043.91-202-24.mtl.mc.videotron.ca (proxies) 1
mailhost1-grep.2003-08-16 pcp04447100pcs.verona01.nj.comcast.net (blacklist) 2
mailhost1-grep.2003-08-16 218.147.164.29 (proxies) 1
mailhost1-grep.2003-08-17 218.147.164.29 (proxies) 9
mailhost1-grep.2003-08-17 pcp04447100pcs.verona01.nj.comcast.net (blacklist) 2
mailhost1-grep.2003-08-17 ip-24-197-143-132.spart.sc.charter.com (blacklist) 2
mailhost2-grep.2003-07-24 12-232-104-221.client.attbi.com (blacklist) 1
mailhost2-grep.2003-07-25 12-232-104-221.client.attbi.com (blacklist) 1
mailhost2-grep.2003-07-26 pcp694043pcs.anaprd01.md.comcast.net (blacklist) 8
mailhost2-grep.2003-07-27 12-232-104-221.client.attbi.com (blacklist) 1
mailhost2-grep.2003-07-28 12-232-104-221.client.attbi.com (blacklist) 1
mailhost2-grep.2003-07-30 12-232-104-221.client.attbi.com (blacklist) 2
mailhost2-grep.2003-07-31 12-232-104-221.client.attbi.com (blacklist) 7
mailhost2-grep.2003-08-01 218.147.164.29 (blacklist) 1
mailhost2-grep.2003-08-02 218.147.164.29 (blacklist) 3
mailhost2-grep.2003-08-03 218.147.164.29 (proxies) 4
mailhost2-grep.2003-08-04 12-232-104-221.client.attbi.com (proxies) 2
mailhost2-grep.2003-08-11 modemcable043.91-202-24.mtl.mc.videotron.ca (proxies) 3
mailhost2-grep.2003-08-11 pcp04447100pcs.verona01.nj.comcast.net (blacklist) 1
mailhost2-grep.2003-08-12 modemcable043.91-202-24.mtl.mc.videotron.ca (proxies) 1
mailhost2-grep.2003-08-15 cpe-024-033-066-038.cinci.rr.com (proxies) 2
mailhost2-grep.2003-08-15 218.147.164.29 (proxies) 2
mailhost2-grep.2003-08-15 12-232-104-221.client.attbi.com (proxies) 1
mailhost2-grep.2003-08-16 pcp04447100pcs.verona01.nj.comcast.net (blacklist) 1
mailhost2-grep.2003-08-16 218.147.164.29 (proxies) 1
mailhost2-grep.2003-08-17 218.147.164.29 (proxies) 4
mailhost2-grep.2003-08-17 ip-24-197-143-132.spart.sc.charter.com (blacklist) 2
mailhost2-grep.2003-08-17 pcp04447100pcs.verona01.nj.comcast.net (blacklist) 1

Posted by Seth Finkelstein at 07:18 PM | Followups
August 03, 2003

John Gilmore ("Suspected Terrorist") trashes me as a troll

My sins have come back to haunt me. John Gilmore has a front-page post on Lessig's blog, where he rebuts criticism of his actions in part by trashing me as a troll.

It's been interesting reading. I'd like to respond. I suppose the obvious place to start is with Seth Finkelstein's trolls. (Of course he is doing what he accuses me of - making outrageous statements and then chuckling when people take them seriously).

And later:

Some people here (including Mr. Troll) think that the minor risk that someone on the plane will have a panic attack after reading a tiny button, makes the button a "safety" issue, as if I had falsely cried "fire" and risked starting a stampede.

Well, yes, I do. The risk is foreseeable, and one can trivially take off the button, and the risk is eliminated. No-brainer. That's very much what I think.

But I have, for all intents and purposes, ZERO ability to shout this to a zillion people and defend myself against being called "Mr. Troll" (wasn't me who got an airplane turned around and started crying censorship over it!).

The way to success is saying simple, popular, demagoguery. The right thing for me to do was to join the chant-and-rant, to cheerlead along the lines of

"Another atrocity in post-Constitutional America! It's a terrible 9/11 loss of freedom, when a man can't even wear a "Suspected Terrorist" button on an airplane. A button's part of who you are, just like being Middle-Eastern or Muslim. How can an airline dare infringe on making political statements about being a suspected terrorist, in the name of "safety" and "security"? We must shout to the world about the grave Ashcroftian injustice here!"

Or at least keep my big mouth shut. Instead, I was dumb. I admit it. I said what I thought, which was that John Gilmore was being a troll. In my head, I know better than to do these things. But I just haven't taken the message to heart.

I have now got 1) John Gilmore 2) Brad Templeton 3) Larry Lessig, all somewhere between mad or unhappy at me. These situation are my undoing. I haven't learned that in politics, you line up or suffer the consequences.

Oh, I can attempt to defend myself by posting a comment somewhere, or my own blog, to the whole wide range of audience of dozens of readers. Whoop-de-doo.

It's not that, at some level, I didn't know I was playing with fire. Rather, in terms of heat and kitchens, I'm way too underpowered to survive. It's like a safety match versus a flamethrower.

Posted by Seth Finkelstein at 01:52 AM | Comments (9) | Followups
July 30, 2003

More on "Suspected Terrorist", John Gilmore, Trolling

GrepLaw was kind enough to mention me in a story about [John] Gilmore's Flight Stunt Revisited, and to link back. So here's some more remarks on the topic.

First, the whole original account starts off in a way that is easy to misunderstand:

"Suspected Terrorist" button gets Gilmore ejected from airplane

It conjures a mental image of someone saying "Aha, you're wearing a forbidden button - off with your head, I mean, the flight". If the title were instead

Insisting on wearing "Suspected Terrorist" button gets Gilmore ejected from airplane

it would be more informative, though admittedly more cumbersome. That is, the information not given at the very start of the presentation, is that Gilmore wasn't suddenly put off the flight. Rather, he was repeatedly required, first by a steward, then by the captain, not to wear the button, with the captain saying it would "endanger the aircraft". And he responded "I told him that it was a political statement and declined to remove it." It would capture even more of the flavor of the event to have a title of

"Making political statement about being a "Suspected Terrorist" gets Gilmore ejected from airplane.

I sympathize with Gilmore's reaction. But under these circumstances, I think the captain was correct. Now, when Jonathan Swift published "A Modest Proposal", there were people who thought he was serious about eating babies.

Gilmore means his button as a hip, ironic, joking statement. But there will be uncool, unhip, un-smart people, who just won't get the joke. Some people's minds simply don't work with appreciation of the kind of humor popular in the techie crowd. They can't imagine someone voluntarily wearing such a designation about potentially being a terrorist. They will think
"OH MY GOD THERE'S A SUSPECTED TERRORIST ON THIS PLANE!"

Gilmore's stunt is in fact one of the closest things I've ever seen in real life to the hoary free-speech cliche regarding
"falsely shouting fire in a theater and causing a panic."

He wants to "joke about being a terrorist while on an airplane, regardless of causing a panic"

It's not quite the same thing. But it's still notable for its physical aspect of provoking a response of fear and danger. Again, such actions are overall being a troll, not being a freedom-fighter.

Posted by Seth Finkelstein at 11:59 PM | Comments (1) | Followups
July 21, 2003

"Suspected Terrorist", or Troll? - John Gilmore and security

"Suspected Terrorist" button gets Gilmore ejected from airplane is the title of John Gilmore's story, now making the rounds.

I greatly admire John Gilmore as a civil-libertarian. That does not mean I think he is always right.

I've finally figured out what bothers me so much about this incident.

In effect, Gilmore was doing a millionaire's version of trolling.

It's a super-scaled-up version of what kiddies do on discussion boards and blog comments.

The sequence is as follows: Do something you KNOW will provoke people (proclaiming "Suspected Terrorist"). Then, when you find someone who bites, when the provocation succeeds, slap your knee in glee that they have been so stupid, so dumb, such idiots, as to react to the obvious troll. ("But I would be hard pressed to come up with a security measure more useless and intrusive than turning a plane around because of a political button on someone's lapel.")

As the reaction progresses, fuel it with liberal amounts of accusations regarding free-speech and I'm-being-censored ("I declined, saying that it was a political statement and that he had no right to censor passengers' political speech ... Ultimately, I was refused passage because I would not censor myself at her command.")

Almost everyone has to content themselves with doing this in comment sections, to a minor audience. Gilmore has managed this on an airplane, and to a huge audience ("They turned the plane around and brought it back to the gate, delaying 300 passengers on a full flight.")

I absolutely believe he is sincere in his beliefs. But he's still doing the 100% classic troll-pattern. Just not insincerely.

Now, the logic error, is that this presented as being a matter of a "political statement". But crew didn't find the politics themselves threatening. What they seemed found threatening was the possibility that some dumb, stupid, idiot might get panicked by the speech ("She said that passengers and crew are nervous about terrorism and that mentioning it bothers them, and that is grounds to exclude me"). But given that they would have to deal with the panic, and Gilmore would not, they made it a condition of the flight that Gilmore not do the speech they feared might panic someone.

It's very easy to shift away, to go debate an abstract general principle, rather than given the specific context right here, in an airplane, the consequences of someone panicking could be severe. And it's not obvious that he has a legal or even a social right to do political theatre IN THIS TIME, PLACE, AND MANNER.

In almost any other circumstances, I'd be on his side. But poking panicky people on long airflights is not laudable. He's pushing people's buttons about "security". But stripped of the veneer of reflexive opposition to airport staff, this is merely trolling.

Posted by Seth Finkelstein at 10:54 PM | Comments (1) | Followups
July 18, 2003

Kill the "ACCOPS" bill via applying it to Microsoft Windows!

Regarding the proposed "ACCOPS" law (post a copyright work, go to jail) Edward Felten has remarked:

As so often happens in these sorts of bills, the definition has unexpected consequences. For example, it would apparently categorize Microsoft Windows as "enabling software," since Windows offers both file server facilities and network search facilities. ...

I was just musing that the quickest way to kill this silly bill would be to apply it to Microsoft Windows - and in fact, such an application would be well-deserved! After all, if any software is worth a strong warning that it "could create a security and privacy risk for the user's computer", Microsoft Windows surely qualifies! Just yesterday, there was a notice:

A critical, remotely exploitable security vulnerability has been found in a part of the Microsoft Windows operating system software. This vulnerability affects all versions of Windows commonly run in SCS, including NT, 2000, and XP. It is important that people apply the appropriate patch to their PCs.

Details about the vulnerability can be found at:
http://www.microsoft.com/technet/security/bulletin/MS03-026.asp

That definitely sounds to me to be "a security and privacy risk for the user's computer"!

Posted by Seth Finkelstein at 08:21 PM | Comments (0) | Followups
June 09, 2003

Ability for Weblogs to link New York Times Archive

Dave Winer's done some great work with an agreement to have the ability for weblogs to link to the New York Times Archives. Take a look at:

New York Times Archive and Weblogs
http://davenet.userland.com/2003/06/06/newYorkTimesArchiveAndWeblogs

You have to use the URLs generated by http://backend.userland.com/directory/167/feeds/newYorkTimes , otherwise the link won't work.

Some notes of my own on the system which makes up the URLs:

The "ex" field seems to be some sort of timestamp-based database key, in units of seconds. I see variations which have intervals of exactly 86400, which is the number of seconds in 24 hours.

I'd guess the "ei" field is a partner id number. It seems to be constant.

The "en" field is almost certainly a checksum. Presumably it takes into account the URL and other fields.

The hard part of synthesizing a working URL will be the algorithm for the "en" field.

Posted by Seth Finkelstein at 11:58 PM | Followups
June 04, 2003

Palladium as P2P Enabler - cypherpunk fantasy redux

A little late, since I was busy, but just to have this in the blog-ether:
Edward Felten has a posting about the paper Trusted Computing, Peer-To-Peer Distribution, and the Economics of Pirated Entertainment, and remarks:

A new paper by Stuart Schechter, Rachel Greenstadt, and Mike Smith, of Harvard, points out what should have been obvious all along: that "trusted computing" systems like Microsoft's now-renamed Palladium, if they work, can be used to make peer-to-peer file sharing systems essentially impervious to technical countermeasures.

I'm having a bad flashback to the days of the censorware wars. Then, some pundits would opine that if we had a totally "rated" net (i.e. all content had a label on it), then - ha ha, unintended consequences - people could use the censorship system to find cool things. Or, elsewhere, taking the no-privacy ideas most often associated with David Brin, then - ha ha, unintended consequences - people could use the surveillance system against corrupt government officials. Here, if we have total computing control - ha ha, unintended consequences - people can construct a secure INTRAnet.

The problem with this approach in this case is mentioned down around the seventh page in the paper:

If the attacker can write programs that impersonate genuine clients, there is no limit to the number of malicious peers that can be introduced into the system.

Bingo. In any widely-distributed file-sharing system, RIAA/MPAA/Axis-Of-Evil will have access to clients too. Ultimately, all we've done is gone around that issue all over again. Nothing new here folks, there's going to be no techno-judo.

Posted by Seth Finkelstein at 12:38 PM | Followups
May 22, 2003

GATOR-Wrestling

Documentation of Gator Advertisements and Targeting is Ben Edelman's just-announced Gator ad study. Out of curiosity, I started digging into the details of Gator's actions. It does send back some information from your computer to its servers. So far, I've found most common action of calling home seems to be an ordinary HTTP POST to the URL
http://bannerserver.gator.com/bannerserver/bannerserver.dll?GetBannerList
The data fields then are the following:

MachineID
MachineInt
Banner-Version
ProductVersion
OEMID
Locale
ZipCode
UserID
UserInt
LocalTime
GMTTime
BnrTypes
AIC-0
Site
DefBrowser
InstDate
GTRGF
PA

More as interest/discovery permits ...

Posted by Seth Finkelstein at 02:51 AM | Followups
March 13, 2003

Mitch Kapor resigns from company over domestic surveillance system

There's a fascinating NYT article making the rounds, Software Pioneer Quits Board of Groove (also available from the IP list) It's chock-full of food for thought. Summary: Mitch Kapor, millionaire and EFF-founder, resigned from Groove networks as "the company's software was being used by the Pentagon as part of its development of a domestic surveillance system." And more:

The company acknowledged the resignation last week when it announced that it had received $38 million in additional financing. ...

"With the dramatic change of funding availability in the high-tech sector, it's become difficult for companies to turn down the funding opportunities presented by the federal government," said Marc Rotenberg, director of the Electronic Privacy Information Center in Washington. ...

"Computer scientists are going to have the same kinds of battles that physicists did amidst the fallout of Hiroshima and Nagasaki," said Michael Schrage, a senior adviser to the Massachusetts Institute of Technology Security Studies Program.

Now, this is not quite so new, as everyone should remember that the Internet originated from a military funding project. (and Al Gore did indeed help its evolution greatly, contrary to a certain fabricated journalistic slam). But what's notable, if not exactly new, is that money is flowing. It's sort of like a flood. Whenever either money or floodwater washes over an area, it's never the same afterwards.

Hmm ... I think I hear the Dark Side calling me ...

Posted by Seth Finkelstein at 10:56 PM | Followups