Slashdot Mirror

But we can file an objection... Here's mine. I'm open to suggested improvements:

Name
Address
Telephone Number

In re SONY BMG CD Technologies Litigation:

I am objecting to the settlement process on the grounds that,

A) The settlement excludes people who may not have purchased one of the listed compact disks from Sony/BMG, but have otherwise been affected by the software contained on it. It is conceivable that someone may have legally borrowed a compact disk, been affected by the rootkit, and have no receipt to file a claim in the settlement.

B) The settlement excludes people who may not have used any compact disk from Sony/BMG but may have otherwise been affected by the nature of the software. There has been no investigation into what, if any, personal information protected by law was surreptitiously obtained by Sony/BMG's use of the rootkit or by others who may have taken advantage of security holes left open by the rootkit itself.[1]

C) The settlement does not address the criminal actions of individuals at Sony/BMG. If this were the case of a "computer hacker" distributing a rootkit, that person would have been jailed on charges of computer trespass. Sony/BMG shipped an estimated 20,000,000 affected compact disks, some of which installed software REGARDLESS of whether or not the end user accepted the terms of their license agreement.[2] All members of the settlement class are potentially victims of Sony/BMG's criminal actions. Yet there have been, to my knowledge, no charges regarding criminal actions brought against Sony/BMG or any individual of that company.

[1] http://www.schneier.com/blog/archives/2005/11/sony s_drm_rootk.html
[2] http://www.freedom-to-tinker.com/?p=936

Hmmm, after that last bit, I wonder if I should instead file for exclusion. One or the other must be done before May 1, 2006. You can't do both... and I'll probably just get lip service from the courts with my objection...

As usual, Ed Felten has some insightful commentary about this on his blog. Interestingly, he ties this to the recent stories about ISPs giving favored treatment (for a fee) to certain net traffic over others. How does the AOL/Yahoo proposal fit in? Here's Felten's take on it:

What's different here is that senders aren't paying for delivery, but for an exemption from the email providers' spam filters. As Eric Rescorla notes, this system creates interesting incentives for the providers. For instance, the providers will have an incentive to make their spam filters overly stringent -- so that legitimate messages will be misclassified as spam, and senders will be more likely to pay for an exemption from the filters.

Felten thinks that market forces will either make this work or not work, assuming that competition exists. If people have a hard time getting the e-mail they want under AOL/Yahoo because they keep getting sucked up into overly-agressive filters, they'll go elsewhere.

As usual, Ed Felten has some insightful commentary about this on his blog. Interestingly, he ties this to the recent stories about ISPs giving favored treatment (for a fee) to certain net traffic over others. How does the AOL/Yahoo proposal fit in? Here's Felten's take on it:

What's different here is that senders aren't paying for delivery, but for an exemption from the email providers' spam filters. As Eric Rescorla notes, this system creates interesting incentives for the providers. For instance, the providers will have an incentive to make their spam filters overly stringent -- so that legitimate messages will be misclassified as spam, and senders will be more likely to pay for an exemption from the filters.

Felten thinks that market forces will either make this work or not work, assuming that competition exists. If people have a hard time getting the e-mail they want under AOL/Yahoo because they keep getting sucked up into overly-agressive filters, they'll go elsewhere.

So if you're designing a CD DRM system based on active protection, you face two main technical problems:

1. You have to get your software installed, even though the user doesn't want it.
2. Once your software is installed, you have to keep it from being uninstalled, even though the user wants it gone.

These are the same two technical problems that spyware designers face.

So if you're designing a CD DRM system based on active protection, you face two main technical problems:

1. You have to get your software installed, even though the user doesn't want it.
2. Once your software is installed, you have to keep it from being uninstalled, even though the user wants it gone.

These are the same two technical problems that spyware designers face.

Apropos this from Freedom to Tinker's predictions for 2006.

17) HD-DVD and Blu-ray, touted as the second coming of the DVD, will look increasingly like the second coming of the Laserdisc.

This is the original blog that revealed the SunnComm DRM installed despite the user declining the EULA. Whereas the XCP DRM could hide behind the EULA excuse, I don't see how SunnComm has any legal fig leaf here (though IANAL).

Supposedly there is about ten times more SunnComm DRM in the wild than XCP DRM, so maybe Sony felt they couldn't sacrifice holiday sales despite the legal exposure.

Re the Sony spyware saga, it's also worth checking out Ed Felten's latest article on XCP's eviller twin, Suncomm Mediamax. Seems Mediamax made the fatal mistake of setting out their entire scheme in an SEC filing.

The original explanation of this, from Ed Felten and Alex Halderman, is at http://www.freedom-to-tinker.com/?p=942

This particular bug gets installed even if you decline the EULA. Sony and Sunncomm, what a wonderful combination. Remember, this is the same company that tried suing someone for putting on their web site "Hold the shift key down while inserting a copy protected CD to prevent the DRM software from being installed."

Just shaking my head at their idiocy and getting ready to watch the fireworks, assuming anything actually happens because of this mess.

...as previous patches. In other words, it leaves your computer even more vulnerable than before.

Don't see any mention of this on the entire last page of comments listed most recently first, so I figured it was worth risking a possible karma hit for duplication.

It seems Sony and SunComm just can't come up with a "real" fix to save their lives.

IIRC, the SunnComm software installs regardless of whether or not you accept the EULA. http://www.freedom-to-tinker.com/?p=936

The Sony-BMG copy prevention threads should teach modern-day /. readers that asking the proprietor what they do with the information they gather is not enough freedom for the user. According to freedom-to-tinker.com, Sony lied about their software saying they didn't track information on the user's usage, then they admitted they did and said this was okay because they didn't do anything with the information that they collected. Sony-BMG and First4Internet's uninstaller doesn't actually uninstall the software that people don't want to run when they put certain music CDs into their Microsoft Windows computers.

It doesn't really matter what the proprietor says the software does because you have no permission to verify their statement, change the software to suit your needs, or distribute the improved software. There are technological and legal restrictions to prohibit all of this. Better to realize that all computer users deserve software freedom, and that all proprietary software, regardless of ostensible purpose, is untrustworthy.

The Sony-BMG copy prevention threads should teach modern-day /. readers that asking the proprietor what they do with the information they gather is not enough freedom for the user. According to freedom-to-tinker.com, Sony lied about their software saying they didn't track information on the user's usage, then they admitted they did and said this was okay because they didn't do anything with the information that they collected. Sony-BMG and First4Internet's uninstaller doesn't actually uninstall the software that people don't want to run when they put certain music CDs into their Microsoft Windows computers.

It doesn't really matter what the proprietor says the software does because you have no permission to verify their statement, change the software to suit your needs, or distribute the improved software. There are technological and legal restrictions to prohibit all of this. Better to realize that all computer users deserve software freedom, and that all proprietary software, regardless of ostensible purpose, is untrustworthy.

If someone sued them for the MediaMax too, they wouldn't even have the EULA defense as it installs (and in some cases, runs) kernel-level drivers even if the user declines the EULA.

the only difference between agreeing and declining is that if you decline, the software is not activated (but it remains installed).

However, yesterday word came out that in some cases the software can become permanently activated even though the user declined to have it installed.

You are descended from toolmakers. Every time you consent to being unable to tinker with something, not only is it not really yours but you've given up a bit of your heritage as an intelligent being.

The article seems to indicate the offers cover CDs with First4Internet's XCP crap, but that's it. There's apparently similar ugliness with CDs using Sunncomm's MediaMaz copy protection (see http://www.freedom-to-tinker.com/?p=925) which is not covered. I guess that one hasn't gotten enough mainstream media coverage yet...

After getting Sony malware on the PC, getting rid of it is a pain. First there was XCP uninstaller flaw. Now there is another DRM uninstaller flaw. Alex Halderman did found that removing Sony's other CD DRM/SpyWare technology, the SunnComm MediaMax, system will wide open for a web-based attack.

According to the link below, the tool to remove XCP is itself *seriously* flawed from a security point of view:

http://www.freedom-to-tinker.com/?p=927

What's also interesting is SunnComm's history of making bogus announcements about non-existing products to pump up the stock price, and the SunnComm shills trying to discredit the guy who found out about their malware.

Definitely worth a look.

You did indeed. See:
http://www.freedom-to-tinker.com/?p=927

A remote reboot exploit exists as a proof of concept.

Sony has hit bottom, and commenced digging.

Serious design flaw in Sony's web based uninstaller : http://www.freedom-to-tinker.com/?p=927

Sony rootkit's web-based uninstaller opens huge security hole on computers
--
I'm always serious, never more so than when I'm being flippant. -- Cr. Ziller

I've stopped buying music for the same reason. If the music industry wants to sell more music, they could start by making their wares at least as desirable as those that are illicitly traded. But instead, they'll sell you music that is shackled to one computer, artificially incompatible with your MP3 player, and likely to disappear entirely when you upgrade your computer. For old-school people like me who prefer to have a physical backup in the form of a plastic disc, they'll try to sneak spyware onto your PC. Faced with this nonsense, is it any wonder people are pirating music? Why does the music industry think they can improve sales by selling an inferior product?

Sony released some kind of software update tool that removes the rootkit pretty cleanly.

Sony removes it pretty cleanly? Are you sure? You might be interested in reading this.

(Dislaimer - I'm a wikipedia administrator, arbitrator, and the "featured article director" -- I choose the featured articles you see on the main page every day)

Last week I was a guest speaker for a group of education graduate students about Wikipedia (the course was on technology use in education; wikipedia was part of the curriculum). Before the lecture, sent them a few items I thought they should read - objective studies of Wikipedia's accuracy done by impartial, outside organization. Here's what I sent them:

----------
1) "A group of students in the Graduate School of Library and Information Science at the University of Illinois has published a paper entitled "Information Quality Discussions in Wikipedia" (PDF format). The focus of the paper was on assessing the IQ of Wikipedia featured articles -- in this case, IQ stands for "information quality" -- when compared to other samples from the project, including featured article removal candidates, pages marked as NPOV disputes, and a selection of random pages. According to the paper, the study showed how seriously the Wikipedia project views issues of article quality. The authors concluded that as a quality standard, the featured article process "is not ideal, but it does seem relatively rigorous." They also noted that the process is not as resource-intensive as other possibilities, such as blind judging." - http://en.wikipedia.org/wiki/Wikipedia:Wikipedia_S ignpost/2005-08-01/Featured_content
PDF of research paper can be found at: http://www.isrl.uiuc.edu/~stvilia/papers/qualWiki. pdf

2) An article comparing the WP to Brockhaus and Encarta has appeared in issue 21/04 of C't, a major German computer engineering magazine. It is titled /Lexika: Wikipedia gegen Brockhaus und Encarta/, starting on p. 132 - http://meta.wikimedia.org/wiki/Wikipedia_vs_Brockh aus_and_Encarta
Full survey results can be found at: http://mail.wikimedia.org/pipermail/wikipedia-l/20 04-October/035339.html

3) "As publicly editable sites, Wikis are vulnerable to vandalism. We've examined many pages on Wikipedia that treat controversial topics, and have discovered that most have, in fact, been vandalized at some point in their history. But we've also found that vandalism is usually repaired extremely quickly--so quickly that most users will never see its effects." - IBM study of Wikipedia - http://researchweb.watson.ibm.com/history/results. htm

4) Computer Science professor (and minor geek rockstar) Ed Felton (http://en.wikipedia.org/wiki/Edward_Felten) posted in his blog about a
small-scale survey he did of Wikipedia: http://www.freedom-to-tinker.com/?p=674
-----------------

As far as my personal interactions - as featured article director, I can say first-hand that we've been hitting really hard on the need to have inline cited sources in the article text. It's been an explicit requirement for featured articles for some time now (9-12 months or so). In many ways, this makes our content much more trustworhty than most other information sources.

Furthermore, purely from personal experience, I can say there's something to be said for the expert-hobbyist. For example, the "best" writer on wikipedia (in terms of number of featured articles written) is a 17 year old from New Jersey who writes long, thorough, well referenced, accurate articles on, erm, British and the Bri

Sounds like about 30 more lines or so of python and you're halfway there.
TinyP2P

A bit of checksumming, some automated distribution of indexed files based on some arbitrary weight (Important 1-kinda 5-YOU BET), and you've got it.

You would have to install Python for windows... (Or OSX if they're using AutoCad and not Softplan.) Setup some login/boot-time scripts etc.

Still, more for the "fun" kind of thing to do, and not something for a production environment. But everything has to start somewhere.

WRONG!
See Bowers v. Baystate and Davidson & Assoc. v. Internet Gateway (the BNETD case) for court rulings finding clickwrap licenses valid and enforceable. The Slashdot meme that EULA's aren't enforceable is just plain wrong.

Professor Ed Felten wrote about this in his blog, Freedom to Tinker. It's a good analysis, comparing the RIAA's little venture to Perpetual Motion Labs.

http://www.freedom-to-tinker.com/?p=893
Acoustic Snooping on Typed Information
Friday September 9, 2005 by Edward W. Felten

Li Zhuang, Feng Zhou, and Doug Tygar have an interesting new paper showing that if you have an audio recording of somebody typing on an ordinary computer keyboard for fifteen minutes or so, you can figure out everything they typed. The idea is that different keys tend to make slightly different sounds, and although you don't know in advance which keys make which sounds, you can use machine learning to figure that out, assuming that the person is mostly typing English text. (Presumably it would work for other languages too.)

Asonov and Agrawal had a similar result previously, but they had to assume (unrealistically) that you started out with a recording of the person typing a known training text on the target keyboard. The new method eliminates that requirement, and so appears to be viable in practice.

The algorithm works in three basic stages. First, it isolates the sound of each individual keystroke. Second, it takes all of the recorded keystrokes and puts them into about fifty categories, where the keystrokes within each category sound very similar. Third, it uses fancy machine learning methods to recover the sequence of characters typed, under the assumption that the sequence has the statistical characteristics of English text.

The third stage is the hardest one. You start out with the keystrokes put into categories, so that the sequence of keystrokes has been reduced a sequence of category-identifiers -- something like this:

35, 12, 8, 14, 17, 35, 6, 44, ...

(This means that the first keystroke is in category 35, the second is in category 12, and so on. Remember that keystrokes in the same category sound alike.) At this point you assume that each key on the keyboard usually (but not always) generates a particular category, but you don't know which key generates which category. Sometimes two keys will tend to generate the same category, so that you can't tell them apart except by context. And some keystrokes generate a category that doesn't seem to match the character in the original text, because the key happened to sound different that time, or because the categorization algorithm isn't perfect, or because the typist made a mistake and typed a garbbge charaacter.

The only advantage you have is that English text has persistent regularities. For example, the two-letter sequence "th" is much more common that "rq", and the word "the" is much more common than "xprld". This turns out to be enough for modern machine learning methods to do the job, despite the difficulties I described in the previous paragraph. The recovered text gets about 95% of the characters right, and about 90% of the words. It's quite readable.

[Exercise for geeky readers: Assume that there is a one-to-one mapping between characters and categories, and that each character in the (unknown) input text is translated infallibly into the corresponding category. Assume also that the input is typical English text. Given the output category-sequence, how would you recover the input text? About how long would the input have to be to make this feasible?]

If the user typed a password, that can be recovered too. Although passwords don't have the same statistical properties as ordinary text (unless they're chosen badly), this doesn't pose a problem as long as the password-typing is accompanied by enough English-typing. The algorithm doesn't always recover the exact password, but it can come up with a short list of possible passwords, and the real password is almost always on this list.

This is yet another reminder of how much computer security depends on controlling physical access to the computer. We've always known that anybody who can open up a computer and work on it with tools can control what it does. Results like this new one show that getting close to a machine with sensors (such as microp

I'm sorry, but that's not enough.. how about NOT INCLUDING IT.. and how about not going along with HD-DVD with the DRM content onlycrap while you're at it. Screw this, if you want to threaten me with remote destruction of my player, and build it so it won't play my home made video, then you can keep it, and I won't buy it, and I'll tell others the very good reasons not to as well.

That's already the case. AACS requires "digital imprimature" Not only Has Blu-Ray vowed to go along with this as well, they've added additional restrictions.

I can't see how this will work without the cooperation from the drivers.

Yes, that's exactly the idea. Google for "Protected Media Path", drivers will be cryptograhically verified and revocable if needs be, using hardware TCPA. The authenticated driver must then authenticate the video card, and must authenticate the displays too.

See this recent Ed Felten article and the linked to Microsoft white paper on Protected Media Path.

Monitor will know that the content of a certain window is a movie being played?

Cause the 'trusted' video driver and your 'trusted' video card will ask your trusty monitor what kind of inputs and outputs it has. If your trusty monitor isn't trusted enough, your video card will downscale to a size specified by the "content owner" then upscale the content again so it will lack quality, before sending it on to be displayed. (eg like watching a 320x160 MPEG at full-screen). Your trusty video card will also switch-off or blank the content in any "bad" outputs it might have, like unprotected VGA or DVI.

Note that in this vision of the future of computers, not even your PCI bus is to be trusted if it has user-accessible slots or even motherboard traces. Your trusty graphics driver will have to encrypt the content using AES first before passing it across the bus to your graphics card (which has to decrypt it) - if the content owner demands it.

Ie, the future of computing involves your trusty computer doing massive amounts of extra work for 0 reward to you except to keep Hollywood happy.

Read the paper and be astounded.

Ed Felten to the rescue
"... The Princeton University Store, a bookstore that is located on the edge of the campus but is not affiliated with the University, will be the entity offering DRMed textbooks..."

For more information on this, check out Professor Ed Felten's blog http://www.freedom-to-tinker.com/. He commented on this the other day, particularly with the regards to the separation of the university and the bookstore.

Princeton professor Felten's Freedom to Tinker blog has a good analysis of this. I like his attitude:

It's hard to see the value proposition for students in the DRMed version, unless the price is very low. . . . I don't object to other people wasting their money developing products that consumers won't want. People waste their money on foolish schemes every day. I wish for their sake that they would be smarter. But why should I object to this product or try to stop it? A product this weak will die on its own.

I hope he's right ...

Princeton professor Felten's Freedom to Tinker blog has a good analysis of this. I like his attitude:

It's hard to see the value proposition for students in the DRMed version, unless the price is very low. . . . I don't object to other people wasting their money developing products that consumers won't want. People waste their money on foolish schemes every day. I wish for their sake that they would be smarter. But why should I object to this product or try to stop it? A product this weak will die on its own.

I hope he's right ...

As far as I can tell, Princeton University has no part in this experiment. The Princeton University Store, a bookstore that is located on the edge of the campus but is not affiliated with the University, will be the entity offering DRMed textbooks. The DRM company's press release tries to leave the impression that Princeton University itself is involved, but this appears to be incorrect.

I think there's a very, very good chance that all these printers have in-the-field-upgradeable firmware in Flash, so all you need to do is reverse engineer one printer's firmware, find the "download new firmware" command in it, and use that to produce a software-only printer crack which updates any printer of that model so that it won't print the tracking dots. Instead, it will just print goatse on every third page.

Re currency detectors, check out the "EURion constellation": PDF, etc. (slashdot, freedom to tinker)

Well, it makes more sense if you think of it as the "Any-Time Money Machine" But nothing is better than seeing an ATM BSOD, or seeing the Windows Desktop on an ATM. A very expensive Diebold Media Player. Gee...Imagine that...people are actually worried about the security about Diebold voting machines? Funny how I haven't seen any mass-complaints relating to Diebold ATM's. Was O/S 2 a better platform for ATM's? If for no other reason, obscurity. You can argue all of the merits of O/S 2 till the cows come home, but the switch to Windows was eventually gonna happen just from sheer market share numbers. (No! I didn't want to drag that money to the recycle bin! I was trying to drag it to checking)

The most insidious thing about this is the way that Sony/BMG is using this to reframe the dialog about ripping/burning. When I buy a CD and rip some tracks to put on my MP3 player, or to make a backup copy of the CD, I call this "fair use". They call it "casual piracy". JD Lasica has an insightful item on Edward Felten's site about exactly this issue.

The most insidious thing about this is the way that Sony/BMG is using this to reframe the dialog about ripping/burning. When I buy a CD and rip some tracks to put on my MP3 player, or to make a backup copy of the CD, I call this "fair use". They call it "casual piracy". JD Lasica has an insightful item on Edward Felten's site about exactly this issue.

It's another demonstration of the corollary to Felten's Law, i.e. "When the topic of a copyright policy discussion switches to pornography, each side suddenly adopts the other side's arguments."

The irony is that the Play for Sure system does NOT mean that the songs download from Play for Sure sellers will work in Play for Sure players. Play for Sure is pure marketing BS. Check out this informative article from Freedom to Tinker.

If we don't fight windmills the damn things will take over the world.

There is a push to regulate file sharing programs. Just look at tinyP2P

Talk about paranoia.

Not here. The walls have eyes and ears.

"Second, amici address assertions that checking for infringement should be built into network design. On the contrary, certain functionality (such as using filters) should not be done at the network level. To order network designers to add functionality to the network to avoid liability is to force significant inefficiency into network design. Because leaving out such functionality may represent good engineering design, no negative inference regarding intent should be drawn if a designer chooses not to add this functionality."

I was pointed there by Ed Felton in a response post on the brief's abstract page on Freedom to Tinker,

"I'm curious what you think of the corresponding section of the brief (Section II, starting on page 6), which makes the argument at much greater length."

I love getting some free Ivy League insight (as an aside, I go to Rutgers where we are always using information from our Ivy League friends).

Maybe talking about the small size of the application was meant as a complement to the supporting software libraries, rather than an attempt at "taking credit"

The Glyphsaw Puzzle solver is implemented in less than 200 lines of Python code by making good use of the PARC DataGlyph Toolkit, the Python Imaging Library (PIL), and Numerical Python.

I don't doubt that he did make very good use of the libraries, but that doesn't detract from the point that measuring goodness of code by number of lines is stupid. You could write an indecipherable 15 line Python P2P program. Or you could write a similar program in 100 lines of code, but other people might actually be able to understand it. Or you could write 1000 lines of indecipherable spaghetti code. Number of lines of code is not a good measure of quality. Period.

BTW, I wasn't saying this particular guy was trying to take credit for other people's work, but there is, in general, a leet attitude in saying "I did this in x lines of code." It sounds like bragging.

It's certainly no 15 line p2p app!

Why do you think no EULA has ever been tested in court?

Not only does the court uphold the EULA:

The Court finds that the license agreements are enforceable contracts under both California and Missouri law. California courts have enforced end user license agreements, which are valid under California law.

The defendants in this case waived their "fair use" right to reverse engineer by agreeing to the licensing agreement. Parties may waive their statutory rights under law in a contract.