Slashdot Mirror

You may know that some websites use scripts to record everything from a session, every keystroke and mouse move. And they don't feel oblidged to inform you that they are doing this.

https://freedom-to-tinker.com/...

Anti DRM-circumvention laws were originally enacted to penalize copying of audio and video from physical platforms like CDs and DVDs. When audio and video streaming came to the web, those laws still applied.

A video store can legally sell a legal copy of a Hollywood movie full of sex and profanity. But if they pay for the copy, edit out the sex and violence, and sell the edited copy, that's illegal. See https://freedom-to-tinker.com/...

Now let's apply this to the web. A website puts weak HTML-DRM on its entire webpage, including ads. If you block ads, pupups, autoplaying garbage, etc, to get a cleaned-up webpage, you're subject to prosecution, just like the outfit that sold cleaned-up DVDs. If the web doesn't have built-in DRM, that becomes a lot less likely.

NYC to Collect GPS Data on Car Service Passengers—Good Intentions Gone Awry or Something Else? https://freedom-to-tinker.com/...

Some other nice ones:

Markets are efficient iff P=NP
Finding out if there are booby traps in certain derivatives (like CDOs) is NP-complete

17 December 2003 — release of Linux kernel 2.6.0 (5,929,913 lines of code)

If we're all feeling nostalgic, this should do the trick:

The Linux Backdoor Attempt of 2003

if ((options == (__WCLONE|__WALL)) && (current->uid = 0))
      retval = -EINVAL;

But on Nov. 5, 2003, Larry McVoy noticed that there was a code change in the CVS copy that did not have a pointer to a record of approval. Investigation showed that the change had never been approved and, stranger yet, that this change did not appear in the primary BitKeeper repository at all.

Other issues back in 2003 were burning up the Linux development intertubes.

The mind behind Linux

16:00

To me, the sign of people I really want to work with is that they have good taste, which is how ... I sent you this stupid example that is not relevant because it's too small. Good taste is much bigger than this. Good taste is about really seeing the big patterns and kind of instinctively knowing what's the right way to do things.

The following is my idea of good taste (since the 1980s), whenever a comparison involves a constant term:

if ((options == (__WCLONE|__WALL)) && (0 = current->uid))
      retval = -EINVAL;

This does not achieve root. It won't even compile.

1. Not all transit providers are equal. Some make better deals with peers than others.

Not all watermelons are equal, either; some are larger and/or have fewer seeds than others. In fact, outside of mathematics, it is quite rare to find two truly equal entities. Basically, inequality is a given in the real world. Hell, not all streaming video providers are equal, which is why many people subscribe to two or more. In fact, Netflix uses multiple transit providers[1-8] for similar reasons.

2. Some transit providers are less expensive because they lack the ability to make the best deals with peers.

This is just plain backwards. A transit provider who makes better peering deals has lower costs, so they don't have to charge as much! I know this seems counter-intuitive when you consider that those providers also offer a better service, as you'd think that's something they could charge a premium for, but it should make a bit more sense when you consider the corollary: a transit provider who makes worse peering deals has higher costs, which they must recoup from their customer. Sort of like how Costco charges less because they make better deals buying in bulk; or, rather, other retailers must charge more because they didn't make the same deals.

3. To cut costs, Netflix chose a less expensive transit provider.

First of all, your assertion that Netflix uses a single transit provider is just plain wrong[1-8]. It has been made public knowledge (despite being none of our damn business) that their primary transit providers are Level 3 and Cogent[1-8], and that they purchase transit services from at least 4 other providers, Tata, XO, NTT, and Telia[1,3].

As for your assertion that Netflix only buys from the lowest bidder, well, it appears that the buy from anyone who can provide transit between them and the networks their customers are on[1-8]. Not only do they buy transit from all three available providers who route directly from their POIs to Comcast's[1], they even buy transit from Comcast now[3]. And, despite that, I still see buffering issues with Netflix on a 75Mbps Comcast Business connection, which points to the issue not lying with Level 3, Cogent, or any of Comcast's other providers with names not starting with C and rhyming with "bombast".

In case you want sources, here[1] are[2] a[3] few[4] you[5] can[6] check[7]. out[8].

At least you proved you weren't trolling; I guess that only leaves one other possibility.

Footnotes:
[1] "Netflix attempted to address congested routes into Comcast by purchasing all available transit capacity from transit providers that did not pay access fees to Comcast—which involved agreements with Cogent, Level 3, NTT, TeliaSonera, Tata, and X0 Communications. Although all six of those providers sold transit to the ent

Whoppee doo. He just said that Ubuntu won't mess with any of the Debian packages that they rebrand.

So what, it's the same thing.

Now, a real pledge would be that Ubuntu would actively audit security-critical packages from upstream providers to prevent disasters like the real-life backdoor that Debian added to OpenSSL when they screwed up the PRNG: https://freedom-to-tinker.com/...

Was it evil NSA conspiracy? No, but it was a real backdoor added to an open source project!

You do realize that this story starts talking about Comcast, the same company that tried to charge Netflix for data that their customers were requesting? They also kicked out Netflix's caching servers from their datacenters before this. Comcast brought their problems on themselves by refusing to upgrade connections to accommodate the needs, and intentionally pushing more traffic onto the uplinks. I can't imagine how anyone would have sympathy for a company that intentionally causes over saturation of their uplinks when they have been offered free upgrades!

http://www.infoworld.com/artic...
https://gigaom.com/2014/10/28/...

http://consumerist.com/2014/02...
https://freedom-to-tinker.com/...
http://knowmore.washingtonpost...

The NSA is our new overlord and conscience. So I'm contrarian here and curious: what did AT&T get out of this?

Money. AT&T charged the NSA for access to their network. The linked article is from 2007 and suggests that the only way for a backbone provider to make money is to sell access to the government. This is not new information for anyone who has been watching.

Then configure your miners to not accept these transactions.

Essentially the blockchain is exactly this: A way to record information in an unforgeable way, for a fee to the miner. Bitcoin works, and the only way it can work, is by being a system that behaves in a desired way when each player maximizes their own benefit. (To a small extent this can be affected in a centralized fashion because the community can develop the reference implementation to a desired direction, but that may or may not turn to be anathema and may or may not be a powerful enough tool.)

True, blockchain bloat causes problems, and it's a limited resource. The bitcoin solution is to sell the space to the highest bidder, because generally that maximizes the seller's benefit. In a sense, someone saying "that's not what the blockchain is for" is very similar to someone complaining that people are using lithium to make these stupid batteries, driving its price up, and "that's not what lithium is for".

Whether Bitcoin can survive all the technical challenges in the long term is not at all obvious. For all we know, it might be that the entire model is game-theoretically self-destructive if analyzed thoroughly enough. In fact, it has provided quite a few surprises where the incentives have turned out to be something different than anticipated, causing weird scenarios where e.g. in some situations it's advantageous for a miner to not immediately report a found block. So far none of these have been such that they would cause a death spiral, but that's far from a given. (Arvind Narayanan's blog posts on the topic are quite insightful; you might want to start from https://freedom-to-tinker.com/...).

" The dispute arises from a section of the Digital Millennium Copyright Act that no one thought could apply to vehicles when it was signed into law in 1998"

Do the editors even read this site ? Virtually everyone realized this could apply to just about anything that ran code. There was even the infamous use garage door opener case

https://freedom-to-tinker.com/...

And the HP and Lexmark toner cartridge cases which were just about embedded serialization
 

After a 5-year long campaign by European and U.S. digital rights NGOs, today the European Parliament turned a dubious Commission proposal on its head to safeguard the principle of net neutrality. It’s a historic win, and all over the news. It also shows how digital rights advocacy is maturing.

Remember GnuTLS

And forget about Microsoft TLS, since you will never be able to find out about the holes in that. 'cmon, it was the Linux guys catching a backdoor insertion attempt which first alerted people to the fact that such attempts are being made.

Now ask yourself why, since the 19th century, we decided that government regulation instead of contracts was a better solution?

Now ask yourself why we decided, since the mid-late 20th century, that it had been a bad idea, and reversed it.

That happened across the spectrum, not even just for money. In Slashdot's favorite topic (no, not cars!), people are constantly going on about how copyright's terms got replaced by EULAs and even when there isn't a EULA, the legality of various actions is determined by "authorization" (by non-government entities), and I recently heard of something called "soft law" where the government is sort of involved in things and sort of not, all without having to bother with that old "Congress" nonsense.

As for money, I know people routinely make decisions about whether to use debit cards or credit cards based on chargeback predictions, where even debit card dollars are different than cash dollars in certain ways, and then some people are seriously into various "rewards programs" (or frequent flyer miles, or whatever) where they "earn" company currency that they spend (instead of dollars) on highly-restricted availability markets, whereas some other people actually convert dollars to company currencies, that they spend on files from Microsoft or Apple. (And I'm just scratching the surface on all the variants of company currencies.)

The idea that all money should be the same and have the same rules, might not be as old as my 19th century attitude, but it's old enough to label you as quaint and hopelessly out of date. And strangely, my 19th century view is more contemporary than yours. (I guess we do things in cycles. Laugh at me in 2060 when "neo-civil law" is the thing on everyone's lips.)

What happened is that we all disagree what the rules should be. So we agreed on one thing: we'll all go our seperate ways, sometimes as a conscious decision, sometimes with a whip at our backs, and sometimes by trickery. And yes, you (probably) agreed to also, every time you use one of these various cash alternatives. Bitcoin is just one more among the dozens, except interestingly, with the least amount of corrupt and co-opted baggage (so far).

The bitcoin protocol itself works by having every transaction public, this is all stored in the blockchain. I send you a coin, and publicly announce this with a message signed with my private key. If I try to spend the same coin twice, then this is where the transaction confirmation chain kicks in (and why you need to wait for X number of confirmations). When you announce sending a coin to somebody else, I see the message, and additionally sign your transaction message with my private key and add it to the blockchain. The next person to see the transaction, will again sign on top of all the previous confirmations.

If I try to double spend a coin, then there will be two different sets of transaction history. The bitcoin client is configured to accept the transaction confirmation chain with the most number of signatures as valid, the other one is ignored. Additionally, clients in the network will only additionally sign the chain they believe is valid. Once you get more than a few signatures, its almost computationally impossible to fake a confirmation chain faster than the network, assuming you don't have 51%+ CPU dominance (which is the worry about cex.io going rogue).

The MtGox issue is that they wrote their own custom bitcoin software to deal with the running of a high transaction volume exchange. They where not waiting for transaction confirmations from the network to check their own internal transactions. Their software was buggy and suffered from an exploit using Transaction Malleability. See https://freedom-to-tinker.com/...

The best real world bank analogy, is if you where to go to a cashpoint ATM outside a bank, withdraw money from the system, then enter a special code into the ATM which makes it display an error message. You then go into the bank and show them the error message, and ask them to refund the ATM withdrawal from your account claiming the ATM never gave you any cash (but in truth you did get the cash). This process didn't create new cash out of thin air, in practice you just got the bank to give you free money.

Eventually the bank becomes bankrupt, and you discover that what you actually own is not cash but rather an IOU from the bank for cash, which the bank can't pay.

Reuters reported on Saturday that the NSA had secretly paid RSA Data Security $10 million to make a certain flawed algorithm the default in RSA’s BSAFE crypto toolkit, which many companies relied on. RSA issued a vehement but artfully worded quasi-denial. Let’s look at the story, and RSA’s denial....

You specified casual review and impenetrable code. The assignment example was indeed caught, but the point I was trying to make is that it was deliberately designed to attempt to pass human visual scrutiny, not the compiler. Anyway, this was ten years ago, and so comments from the dawn of time:

"Ah, but it wouldn’t give you a warning because its encapsulated in an extra set of ()’s. Actually it is a rather elegant hack."

"Yup, Trent’s right. I tested something similar. It passed just fine using 'gcc -Wall -pendantic -O'. Brrr quite an evil little thing, and very easy for a reviewer to miss, as easy as missing a typo."

This is a decade-old example of abusing a language syntax for malicious purposes. I don't know what to tell you if you think the compiler is going to save you in the event of a syntactically valid, but purposefully flawed, implementation.

There's a missing comment upthread which included half a dozen or so links (including one back to Slashdot) about projects that have quite, quite effectively demonstrated that captchas are worthless.

Of course anyone of even modest intelligence would be capable of doing their own homework and searching the web for things like "captchas defeated", then reading what they find. It's old news (years-old, in fact) by now, so there's plenty to read about. But then again, nobody of modest intelligence would even consider using captchas: that's the province of the lazy, the stupid, the ignorant, the worthless.

Here, I'll get you started: https://freedom-to-tinker.com/blog/felten/cheap-captcha-solving-changes-security-game/

That's one of MANY. You should be able to find some of the rest in a few moments without further assistance from me.

If there was someone physically compromising my systems and installing keyloggers, secure boot isn't going to help that much.

Hardware keyloggers, cameras, and even microphones[1] will all bypass secure boot.

They could even replace the innards of my mouse or keyboard with what's inside this: http://pentest.netragard.com/2011/06/24/netragards-hacker-interface-device-hid/

[1] http://www.berkeley.edu/news/media/releases/2005/09/14_key.shtml
https://freedom-to-tinker.com/blog/felten/acoustic-snooping-typed-information/
http://it.slashdot.org/story/05/09/13/1644259/keyboard-sound-aids-password-cracking

The amount of "I know nothing" coming out of DC the last two weeks rivals Sgt. Schultz

They're trying to fix that so please stop resisting.

You really think they don't make tamper resistant stickers in China?

There are other ways of doing keylogging too: https://freedom-to-tinker.com/blog/felten/acoustic-snooping-typed-information/

There are so many ways to get the info if you have physical access to the laptop and/or room. So if you're that paranoid (or they really are out to get the data) make sure the laptop is never left unguarded and it can self destruct.

1) In many cases it doesn't take long to take a laptop apart and reassemble it. The Dell technician who did that to my laptop claims he could do it in the dark/blindfolded (go figure the implications - Dell quality etc ;) ).

There are also alternative ways of keylogging. Most keyboard keys make a distinct sound when you type them. Typing q would sound different from typing w. For those that are too similar you could guess by heuristics. You can make calibration/ easier by pre-typing qwerty on it, but it is not necessary given enough text and correct guessing: https://freedom-to-tinker.com/blog/felten/acoustic-snooping-typed-information/

2) Alternatively plug a sneakier version of this in: http://hakshop.myshopify.com/products/usb-rubber-ducky
Or trick the person to do it.
See also: http://www.irongeek.com/i.php?page=security/plug-and-prey-malicious-usb-devices

Basically a usb device can install stuff and even "click through" the UAC/confirmation stuff, etc - because it can look like a usb keyboard and mouse. What it could do is nudge/jiggle the "mouse" by 1 pixel once a minute or so to make sure the screensaver never triggers. Then at a suitable time, launch the payload- which could be launching notepad/cmd, creating and saving a script and then running it.

If one of the usb ports was actually replaced with a malicious usb device that looks like a failed usb port you might not make a big issue about it. It might even be a working usb port - most large companies have standard issue laptops, so making a custom hardware USB shim for those laptops might be possible.

While affected voters can send their vote by fax or email, they must *also* send the paper ballot by conventional mail. The fax/email votes and the conventional mail votes will be reconciled after the election, and the results are not final until this has been done.

See https://freedom-to-tinker.com/blog/felten/new-jersey-voting-in-the-aftermath-of-hurricane-sandy/

They can try all the EULA crap that they want. That does not make it right, or legally defensible in a court of law.

I am not sure if that is true any more (in the US) since late last year in the Autodesk trial.

From the Freedom to Tinker blog:

The Ninth Circuit's decision in Vernor significantly erodes the first sale doctrine with respect to software and other mass-licensed digital goods. ...
In Timothy Vernor's case, however, the publisher of the AutoCad software argued that it never actually sold the copies Vernor bought, so there was no "first sale" for copyright purposes. Under the software publisher's logic, which the Ninth Circuit adopted in the case, both the copy and the intellectual property embodied in the copy were only licensed, and quite restrictively so, pursuant to the terms of a mass end user license agreement (EULA); nothing was ever sold, despite the retail transaction that put copies of the software into the hands of the initial purchaser, and despite the downstream transaction that put those copies into Timothy Vernor's hands. ...
Under Vernor, software copyright owners not only own the work embodied in every copy of a program they sell, they own every copy, too. Consumers are left with both empty pockets and empty hands.

I strongly believe First Sale doctrine should extend to software, but the EULA looks like it is sneaking in to block it.

https://freedom-to-tinker.com/blog/felten/safire-us-blew-soviet-pipeline-software-trojan-horse

The US has been doing this for a long time. You can use this to strike at critical resources.

One main pillars of warfare is to cut your enemy off from resources that can help them.

Warfare is not playing fair. Anyone who thinks so is just deluding themselves. You burn their crops. You level their cities. You grind them into a pulp. Or they will rise up and attack you again in the future.

http://www.gutenberg.org/ebooks/132

If you fight fair you put yourself at a disadvantage that your enemy can take advantage of.

That is real warfare. Anything else is just window dressing.

Har har.

I don't see why you think that's funny - we're talking capital-S security with DARPA here. Relying on encryption to keep your broadcasted-to-anyone-in-the-neighborhood data safe is clearly strictly less secure than not broadcasting your data in the first place.
And don't think that I'm limiting myself to WiFi when I mean "broadcasting" - just audio could be enough to compromise security: https://freedom-to-tinker.com/blog/felten/acoustic-snooping-typed-information.

It's discussed here.

Basically, with DNSSEC, DNS cannot be tampered with. All you have to is have the DNS then itself provide the cert, which the registrar then signs.

Basically, instead of having to send a CA our public key, and having them sign it and email it back, we just use the existing fact that, under DNSSEC, DNS records are signed, and stick so we just our public key in there. And unsigned keys can be checked there. Actually, it might be smart to have a specific mark on those keys, saying 'Check against DNS'.

This requires DNSSEC to actually roll out everywhere, of course, and requires client support. (And it requires DNS server support if we're actually going to use CERT records, but instead it could be something like SPF does...just use specially marked TXT records, and maybe just use the key fingerprint instead of the entire key.)

This actually has advantages over the current system. For example, it's trivial to revoke keys, whereas now, not so much. Domain owners can even 'revoke' keys they don't know about, like when they buy a name from someone else who still has SSL keys for it. The rules is: Whatever key is in the DNS work, if there's a security issue, just take that key out, put a different one in.

Of course, for a while, both DNS keys and CA keys would need to both work, but I actually think that, at some point, we should stop letting random frickin third parties in Belgium or Korea or wherever decide who is authorized to run an encrypted version of our domain name. The only person who is authorized to talk about what my domains are doing is my registrar and anyone they've delegated to! But certs could still be signed on top of that, to certify stuff like mailing addresses and company names and stuff. (Aka, the 'domain verification' signing would still be useful.)

So when Sony installs software on your computer that enables them to remotely connect to it and issue commands as the administrator, that's good.

No, that would be quite horrible.

However, as far as I'm aware, the XCP software did not allow SONY or anybody else to remotely connect to the machine.

Just to make sure you understand me correctly:
I'll state right here that what it did do is still highly undesirable and I do believe that those responsible should have been held accountable to the full extent of the law as it applies to several practices among which for the GPL violations.

I'll also state right here that I stated no opinions on the current LulzSec stuff. You can dig through my comment history to find one where I mentioned that the hacks were not some "largest public penetration test" but that the hacks were mostly for 'teh lulz'. I'd be honored if 'LulzSec' decided on that name based on that comment, but I highly doubt it ;)
( For what it's worth, I do think it's bordering on the juvenile, and I'm not of the belief that SONY 'deserves' to be hacked any more than I believe anybody's insufficiently protected house deserves to be robbed. I also think, however, that SONY could both have prevented this and reacted more adequately, and certainly should lay the blame largely with themselves. )

Back to the beef of this thread, though... the assertion that it isn't a 'hack' and the secondary assertion that it isn't a 'rootkit'.

My memory on this is rusty, however, and wikipedia of course only provides a summary (summary: it's a rootkit!) and cites a source which you then have to follow up several chains and finding the correct locations to some broken links to find any actual information at e.g. Mark Russinovich's research.
http://blogs.technet.com/b/markrussinovich/archive/2005/10/31/sony-rootkits-and-digital-rights-management-gone-too-far.aspx
http://blogs.technet.com/b/markrussinovich/archive/2005/11/04/more-on-sony-dangerous-decloaking-patch-eulas-and-phoning-home.aspx

From that research (again as far as I can tell and I admit that it fits my memory so there may be some selective bias), it appears there were technically two behaviors:
1. It hid itself from the user and most of the system.
2. It 'phoned home', to look for updated album art.

With that in mind, I'll skip to your last question:

You also seem to have an interesting definition of 'rootkit'. Since I only know the real definition, could you kindly elaborate on yours?

Certainly. From the wikipedia article to which you linked:

A rootkit is software that 1. enables continued privileged access to a computer while 2. actively hiding its presence from administrators by subverting standard operating system functionality or other applications

I added the numbers there because they help me explain.

Part 2, "actively hiding its presence", is certainly in effect. No question there.

However, both parts 2 and 1 are required in order to fit the rootkit definition.

And while the software 'phones home' to check for new album art and subsequently doesn't do anything with it, it does not "enable continued privileged access to a computer".

As such, it's not a rootkit.

Now, mind you, the subsequently released removal tool had a serious flaw in it that could indeed lead to privileged access.
http://freedom-to-tinker.com/blog/felten/sonys-web-based-uninstaller-opens-big-security-hole-sony-recall-discs
This,

Although this does seem a bit like getting paid to donate blood, somehow good but wrong... this guy has some interesting writing on how selling your 'private' data can be a good idea.

The entire fiasco with people getting arrested for modifying their own property is due to the DMCA's circumvention clause. Because the DMCA casts doubt on basic ownership rights I think that the base law is flawed.

If I want to buy a cheap super-computer or mod my Xbox 360 into a media center that should be a given-right: I bought the hardware so go to hell without my Freedom to Tinker.

They found the HDCP master key, remember? If the HDFury guys did their job correctly, it'll just find another key that isn't revoked automatically. The cypto is completely broken.

Well here is a report from 2007 stating that Diebold machines are not secure (with some of the study being published in 2006). And here is a report in 2008 (a year later) showing of not only warnings not to use the Diebold machines, but lists 2 different incidents (both in 2008) where Diebold machines caused problems with votes.

"The problem, which geeks classify as a "shell-injection vulnerability," .. By formatting the string in a particular way, we could cause the server to execute commands on our behalf" link

In this day-and-age, how could the programmers be so f*****g dumb, what are they teaching them in tech school lately ...

Someone asked why the matrix wasn't symmetric as per the master matrix in Blom's Scheme.

I figured out the answer by reading the three short articles linked to from HDCP: Why So Weak?. The deal is that they placed severe hardware constraints on themselves. They were only allowed to require devices to do addition, no multiplication. Therefore the implementation in the Wiki article was not acceptable.

The HDCP scheme only allows "sources" to create a shared private key with "sinks", not other sources. Each source (sink) gets a private key that is a sum of 20 rows (columns) of the master matrix mod(P) where P seems to be 2^56 (which is not prime). Their public key is not a vector of integers like in the Wiki article. It is a vector of 40 zeros or ones with a total of 20 zeros and 20 ones. It is the same vector that selected their 20 rows (columns).

If you look at how an arbitrary source's 20 rows overlap with an arbitrary sink's 20 columns in the master matrix, they will intersect at exactly 400 (= 20 x 20) numbers. The shared private key is the sum mod(P) of these 400 numbers. The source's private key is the 40 word vector containing the sum of its 20 rows. So the 400 numbers at the intersections have been summed into 20 numbers out of the 40 numbers of the source's private key. The sink tells the source which of the 20 of the 40 numbers in the source's private key to sum. These correspond to the 20 bits that were set (out of 40 bits) to select the 20 columns that make up the sink's private key. When the sources adds the 20 numbers from its private key it gets the sum of the 400 numbers in the intersection between the source's rows and the sinks columns.

The sink does the same thing. It gets told by the source which 20 of the 40 numbers in it's private key correspond to the sources 20 rows. The sink adds up these 20 numbers and it too gets the sum of the 400 numbers that are in the intersection of the sources rows and the sinks columns. This way each one uses their own private key (the sum of their 20 rows or columns which is a vector of 40 numbers) combined with the public key of the other (which 20 out of 40 numbers to sum) in order to find a shared private key. They both end up with the same number which is called the shared private key. It is the sum of the 400 numbers where the source's rows intersect the sink's columns in the master matrix.

The links in the summary were useless but I dug back in Ed Feltons blog and found the relevant posts which are still possibly the best explanation around of what this means. Search for DRM and go back to page 5 on the search results or click this. Scan from the bottom up for HDCP.

In a nutshell, this key is all you need to generate every valid key, whether assigned or not. They could revoke every key but then none of the existing hardware would work. Otherwise whenever they kill your key you can just generate a new one with this data.

Seriously, though, who rips 1080dpi raw? Most pirates dont bother, even when it's easily doable. This was never about piracy.

This encryption wasnt designed to hold up against attack. It was simply designed to activate clauses of statute. Judges arent quite as technically illiterate as they were a few years ago, and XOR might be hard to defend today, but this was still designed from the get-go simply to qualify as a 'technical measure' under the DMCA rather than to actually work. Making it work would have cost too many pennies/unit. This lets them call out US Customs to bar consumer-friendly competition at the port, and the US Dept. of State to lobby (bribe/threaten) China into 'cracking down' on such businesses there.

Why bother actually 'protecting' your systems when you can do a half-assed job of it and then call in the power of the state to make it work?

The entire attention on this arrest and the research itself is mis-guided. No machine is ever foolproof or fully secure by itself. For it to have a semblance of reasonable security, factors outside of the machine itself need to be controlled - such as physical access/security. This physical security has been one of the primary factors the Election Commission had been banking on for the security of the election process itself. This researcher had taken questionable actions which threatened that physical security aspect - no wonder he got into trouble. From the researcher's own words here http://www.freedom-to-tinker.com/blog/jhalderm/electronic-voting-researcher-arrested-over-anonymous-source, the authorities are only interested in getting to the anonymous source who provided him the machine and have no interest in harassing him. EVMs are supposed to be the sole property of Election Commission (for a good reason) and anyone possessing one without authorization is a criminal - simple as that.

I'm a professor at the University of Michigan, and I coauthored the voting study at issue with Hari Prasad. I've posted part of a phone call with Hari while he was in the police car, along with more details about the arrest.

Not necessarily - you can still read the contents of RAM relatively accurately for up to ten minutes after the power goes out as long as you're quick about extracting the sticks and applying some cryogenics (a spray from an upside-down can of compressed air works pretty well). Presumably, when they sense that the power is cut these hard drives convert the momentum in the spinning disks into enough electricity to zero out the onboard encryption key, which would take moments and render the contents unrecoverable.

46% movies and shows (non-pornographic)
14% games and software
14% pornography
10% music
1% books and guides
1% images
14% could not classify

They ultimatly found approx. 1% to be legal.

The Princeton piece makes for an interesting read because they do a good job of breaking down their catagories and providing some detailed context. For instance, 53% of the porn was in English and 5% of the software was Spanish language. Just really rich data for anyone into this kind of analysis. The final paragraph on how they decided if content was illegal reads:

Our final assessment involved determining whether or not each file seemed likely to be copyright-infringing. We classified a file as likely non-infringing if it appeared to be (1) in the public domain, (2) freely available through legitimate channels, or (3) user-generated content. These were judgment calls on our part, based on the contents of the files, together with some external research. By this definition, all of the 476 movies or TV shows in the sample were found to be likely infringing. We found seven of the 148 files in the games and software category to be likely non-infringing—including two Linux distributions, free plug-in packs for games, as well as free and beta software. In the pornography category, one of the 145 files claimed to be an amateur video, and we gave it the benefit of the doubt as likely non-infringing. All of the 98 music torrents were likely infringing. Two of the fifteen files in the books/guides category seemed to be likely non-infringing.

The battle isn't in the crack teams' favor these days:

The PS3 has been shown to be 100% secure after the years it has been out.

I believe GeoHot might disagree with you in that regard

HD satellite is still unbroken.

Really? Which satellite network? BEV is cracked, as is N3 (So Dish) - Google "N3XT"

FairPlay for movies still has not been cracked, and no, using the analog hole or a program like SoundTaxi to "record" the played movie is not a crack. That is a transcoding.

I'm sure the QTFairUse guys would have done it, had not Apple C&D'd them into oblivion.

HDCP has been out for a while, still unbroken.

Really? Are you sure about that?

Recent iPhones are still not jailbroken.

Really? Ask PlanetBeing about that.

Windows 7 activation has yet to have a reliable bypass that doesn't turn the desktop black.

Really? 'cause I'm using This release (For educational purposes only, of course), and have no black desktop on either x86 and x64. As long as you don't install KB971033 (Which can be blacklisted in Windows Update), you're just fine.

More corporation-bashing.

Burying inconvenient/embarrassing data is something PEOPLE do.

PEOPLE form corporations for reasons like limited liability (push the responsibility onto an abstract entity instead of themselves), tax breaks, and any other reasons people can think of to get away with things. So really (and as an analogy); it's not nuclear bombs that kill people, it's people that kill people, but the fact is nuclear bombs are still very potentially dangerous, which is why they need to be carefully supervised and controlled.

You are wrong when you say people blame corporations, because corporations are inanimate entities. People are really blaming the individuals who work in corporations. And more often then not people are assholes who reward dishonesty and punish honesty, the corporation is the medium. This quote is pretty instructive:

How severe were the consequences for not breaking the law? Well, like a baseball player who refuses to take steroids, CEO Mike Armstrong of AT&T did not keep pace with the cheaters. As a reward for his honesty and integrity, he was widely ridiculed in the press prior to being fired and AT&T, perhaps America's most valuable brand, was acquired for cheap. Now you see why Barry Bonds needed something to help him keep pace with Mark McGwire.

Ref: http://www.freedom-to-tinker.com/blog/felten/why-ceos-and-companies-break-law

Exactly so. The case was United States v. One Book Called Ulysses. The gist of the ruling was that the book was not obscene because it had merit as a work of literary art. Judge Woolsey's ruling was an eloquent defense of contemporary (for then) literary art. Once the book was no longer banned in the US, the UK and Ireland followed suit and allowed unexpurgated versions. What is doubly ironic here is that the case was engineered by Random House in order to be able to publish the book freely through the US without being prosecuted for pornography. Wow -- look at the difference today! What publisher would challenge the government and culture in this manner today? Instead, Apple seeks to create a Digital Disneyland where everyone can have a fully predictable, enjoyable, inoffensive, and commercially lucrative (for Apple) time.

Hand counts are not readily auditable because they're very slow. They're marginally auditable in cases where ballots can be sorted into a very small number of mutually-exclusive outcomes (i.e. for one race) but if you can't put them into piles an audit of a hand count would be very expensive and time consuming.

Plus optical-scan systems have accuracy rates of 3 or 4 nines, which is almost certainly better than the accuracy rate of people attempting to mark their intended vote on a ballot, and close enough for all but the mostly tightly contested races even if you assume ballots are 100% accurately marked.

So if you used optical scan ballots and automated counting and demanded a hand count only when the error rate of the machine might reasonably affect the outcome of the election, you could improve speed and maintain at least as much if not more auditability.

http://www.freedom-to-tinker.com/blog/appel/optical-scan-voting-extremely-accurate-minnesota

Conveniently what gets forgotten with "anti-piracy" jackbooting is my right to tinker. I don't give a damn that console makers want to totally lock down "their" systems. It's not "theirs" its mine, I bought it at the store. All this crap preventing me from running Linux on my XBox without screwing up Live (if I wanted it) is bull. Go away, it's mine - you don't like that? In a perfect world it wouldn't be my problem, but hey, we get the best laws money can buy.

Conveniently what gets forgotten with "anti-piracy" jackbooting is my right to tinker. I don't give a damn that console makers want to totally lock down "their" systems. It's not "theirs" its mine, I bought it at the store. All this crap preventing me from running Linux on my XBox without screwing up Live (if I wanted it) is bull. Go away, it's mine - you don't like that? In a perfect world it wouldn't be my problem, but hey, we get the best laws money can buy.

Conveniently what gets forgotten with "anti-piracy" jackbooting is my right to tinker. I don't give a damn that console makers want to totally lock down "their" systems. It's not "theirs" its mine, I bought it at the store. All this crap preventing me from running Linux on my XBox without screwing up Live (if I wanted it) is bull. Go away, it's mine - you don't like that? In a perfect world it wouldn't be my problem, but hey, we get the best laws money can buy.

Download Full and Free Games And Softwares For Games http://games2k.blogspot.com And For Softwares http://rapidsharefreesoftwares.blogspot.com Visit And EnjOy DOwnloadiNG Free And FulL

Conveniently what gets forgotten with "anti-piracy" jackbooting is my right to tinker. I don't give a damn that console makers want to totally lock down "their" systems. It's not "theirs" its mine, I bought it at the store. All this crap preventing me from running Linux on my XBox without screwing up Live (if I wanted it) is bull. Go away, it's mine - you don't like that? In a perfect world it wouldn't be my problem, but hey, we get the best laws money can buy.

Conveniently what gets forgotten with "anti-piracy" jackbooting is my right to tinker. I don't give a damn that console makers want to totally lock down "their" systems. It's not "theirs" its mine, I bought it at the store. All this crap preventing me from running Linux on my XBox without screwing up Live (if I wanted it) is bull. Go away, it's mine - you don't like that? In a perfect world it wouldn't be my problem, but hey, we get the best laws money can buy.

Conveniently what gets forgotten with "anti-piracy" jackbooting is my right to tinker. I don't give a damn that console makers want to totally lock down "their" systems. It's not "theirs" its mine, I bought it at the store. All this crap preventing me from running Linux on my XBox without screwing up Live (if I wanted it) is bull. Go away, it's mine - you don't like that? In a perfect world it wouldn't be my problem, but hey, we get the best laws money can buy.

Download Full and Free Games And Softwares For Games http://games2k.blogspot.com And For Softwares http://rapidsharefreesoftwares.blogspot.com Visit And EnjOy DOwnloadiNG Free And FulL

Conveniently what gets forgotten with "anti-piracy" jackbooting is my right to tinker. I don't give a damn that console makers want to totally lock down "their" systems. It's not "theirs" its mine, I bought it at the store. All this crap preventing me from running Linux on my XBox without screwing up Live (if I wanted it) is bull. Go away, it's mine - you don't like that? In a perfect world it wouldn't be my problem, but hey, we get the best laws money can buy.

Conveniently what gets forgotten with "anti-piracy" jackbooting is my right to tinker. I don't give a damn that console makers want to totally lock down "their" systems. It's not "theirs" its mine, I bought it at the store. All this crap preventing me from running Linux on my XBox without screwing up Live (if I wanted it) is bull. Go away, it's mine - you don't like that? In a perfect world it wouldn't be my problem, but hey, we get the best laws money can buy.

Conveniently what gets forgotten with "anti-piracy" jackbooting is my right to tinker. I don't give a damn that console makers want to totally lock down "their" systems. It's not "theirs" its mine, I bought it at the store. All this crap preventing me from running Linux on my XBox without screwing up Live (if I wanted it) is bull. Go away, it's mine - you don't like that? In a perfect world it wouldn't be my problem, but hey, we get the best laws money can buy.

Download Full and Free Games And Softwares For Games http://games2k.blogspot.com And For Softwares http://rapidsharefreesoftwares.blogspot.com Visit And EnjOy DOwnloadiNG Free And FulL

Conveniently what gets forgotten with "anti-piracy" jackbooting is my right to tinker. I don't give a damn that console makers want to totally lock down "their" systems. It's not "theirs" its mine, I bought it at the store. All this crap preventing me from running Linux on my XBox without screwing up Live (if I wanted it) is bull. Go away, it's mine - you don't like that? In a perfect world it wouldn't be my problem, but hey, we get the best laws money can buy.

Laws might also play a much bigger role in something like this. Rife abuse of things like the DMCA to halt innovation for fear of lawsuits, a well known fact of a highly broken patent system would cause less of a desire to want to get too creative lest you get a court issue summoning to east Texas ( http://blog.innovators-network.org/?p=922 ) and being sued to death. Other issues are that I have a feeling that laws like the US-VISIT Act ( http://www.dhs.gov/files/programs/usv.shtm ) might cause some people to re-consider going to the US since being digitally finger printed and photo'd for just wanting to enter the country is real discouraging (and I think this info stay on file indefinitely). Lots of legal problems, rising costs of business, the recession, laws that just make you less wanted by the country as a whole and stories of people being assaulted by border guards, and that the US Customs can and do copy your laptops and all of it's private business information ( http://www.freedom-to-tinker.com/blog/appel/no-warrant-necessary-seize-your-laptop ) possibly risking millions of dollars to your business (and don't think that a leak could never happen, they do). With all this to consider, it's less and less of a reason to want to start a business or take a business from another country and do it in places like Silicon Valley in the US.

And I don't count an Ars Technica opinion piece as a "study" either.

It's not like Ars did the research themselves.

I found the most fascinating part of TFA to be a link to a post by the Nexicon CTO himself in the comments of the initial article. It's 500 words of frantic, badly spelled gibberish whithout a single grammatically correct sentence and devoid of any substantial argument. You can literally see the poor man going litteraly nuts with rage while the sky is falling on his head.

Try it, it'll do you good. Seriously, I had not experienced such a powerful rush of pure, unaltered, sweet schadenfreude on the internets for a long time.