Slashdot Mirror

cnet-declan writes "There have been rumors for years about the FBI remotely installing spyware via e-mail or by exploiting an operating system vulnerability from afar — and now there's confirmation. Last month, the FBI obtained a federal court order to remotely install spyware called CIPAV (Computer and Internet Protocol Address Verifier) to find out who was behind a MySpace account linked to bomb threats sent to a high school near Olympia, Wash. News.com has posted a PDF of the FBI affidavit, which makes for interesting reading, and a summary of the CIPAV results that the FBI submitted to a magistrate judge. It seems as though CIPAV was installed via e-mail, as an article back in 2004 hinted was the case. In addition to reporting the computer's IP address, MAC address, and registry information, it also gave the FBI updates on which IP addresses the user(s) visited. But how did the FBI get the spyware activated and past anti-virus defenses? Two obvious ways are for the Feds to find and exploit their own operating system backdoors, or to compromise security vendors..."

cnet-declan writes "There have been rumors for years about the FBI remotely installing spyware via e-mail or by exploiting an operating system vulnerability from afar — and now there's confirmation. Last month, the FBI obtained a federal court order to remotely install spyware called CIPAV (Computer and Internet Protocol Address Verifier) to find out who was behind a MySpace account linked to bomb threats sent to a high school near Olympia, Wash. News.com has posted a PDF of the FBI affidavit, which makes for interesting reading, and a summary of the CIPAV results that the FBI submitted to a magistrate judge. It seems as though CIPAV was installed via e-mail, as an article back in 2004 hinted was the case. In addition to reporting the computer's IP address, MAC address, and registry information, it also gave the FBI updates on which IP addresses the user(s) visited. But how did the FBI get the spyware activated and past anti-virus defenses? Two obvious ways are for the Feds to find and exploit their own operating system backdoors, or to compromise security vendors..."

cnet-declan writes "There have been rumors for years about the FBI remotely installing spyware via e-mail or by exploiting an operating system vulnerability from afar — and now there's confirmation. Last month, the FBI obtained a federal court order to remotely install spyware called CIPAV (Computer and Internet Protocol Address Verifier) to find out who was behind a MySpace account linked to bomb threats sent to a high school near Olympia, Wash. News.com has posted a PDF of the FBI affidavit, which makes for interesting reading, and a summary of the CIPAV results that the FBI submitted to a magistrate judge. It seems as though CIPAV was installed via e-mail, as an article back in 2004 hinted was the case. In addition to reporting the computer's IP address, MAC address, and registry information, it also gave the FBI updates on which IP addresses the user(s) visited. But how did the FBI get the spyware activated and past anti-virus defenses? Two obvious ways are for the Feds to find and exploit their own operating system backdoors, or to compromise security vendors..."

cnet-declan writes "State and local governments in Washington this week began an all-out lobbying push for the power to tax the Internet, according to our article at News.com. A new Senate bill would usher in Internet sales taxes, and the Federation of Tax Administrators (representing state tax collectors) advised senators at a hearing on Wednesday not to renew a temporary moratorium limiting broadband taxes that expires in November. One irked Republican senator warned that unless the moratorium is renewed, we could start seeing email taxes by the end of the year. Former House Majority Leader Dick Armey blames it on the Democrats taking over, as do Yahoo and eBay lobbyists. Is this a non-hoax version of bill 602P?"

cnet-declan writes "Attorney General Alberto Gonzales is asking Congress to make 'attempted' copyright infringement a federal crime. The text of the legislation as well as the official press-release is available online. Rep. Lamar Smith, a key House Republican, said he 'applauds' the idea, and his Democratic counterpart is probably on board too. In addition, the so-called Intellectual Property Protection Act of 2007 would create a new crime of life imprisonment for using pirated software in some circumstances, expand the DMCA with civil asset forfeiture, and authorize wiretaps in investigations of Americans who are 'attempting' to infringe copyrights. Does this go too far?"

cnet-declan writes "Attorney General Alberto Gonzales is asking Congress to make 'attempted' copyright infringement a federal crime. The text of the legislation as well as the official press-release is available online. Rep. Lamar Smith, a key House Republican, said he 'applauds' the idea, and his Democratic counterpart is probably on board too. In addition, the so-called Intellectual Property Protection Act of 2007 would create a new crime of life imprisonment for using pirated software in some circumstances, expand the DMCA with civil asset forfeiture, and authorize wiretaps in investigations of Americans who are 'attempting' to infringe copyrights. Does this go too far?"

Slashdot contributor Bennett Haselton writes in with with an essay that starts "On March 22nd, District Court Judge Lowell Reed ruled that the Child Online Protection Act was unconstitutional, partly because the judge called it 'vague and overbroad,' and partly because less restrictive means existed, such as Internet blocking software. I'll leave others to comment on the legal issues, but blocking software is something that I've studied, and it's important to make sure this decision is not seen as some kind of vindication for the 'censorware' industry." Tap that link below to read the rest of his story.

The thrust of the judge's findings about blocking software was that it blocks a high proportion of pornography, blocks a low proportion of non-pornographic Web sites, and that it is difficult for most kids get around. I think that these conclusions are correct for the purpose of the decision he was making -- in other words, blocking software blocks a high proportion of pornography compared to the law in question, and is difficult to get around compared to the law in question. But let's not get carried away -- blocking software is not that accurate, and not that hard to defeat.

Consider first the accuracy rates cited by the judge. Citing expert witness reports, he wrote, "I find that filters generally block about 95% of sexually explicit material", and then quoted several different rates for overblocking provided by expert witness reports, ranging from about 4% to 11%. I wrote earlier about the different ways to interpret overblocking error rates -- the gist was that if you care about the constitutional issues with filter use, then you look at the percentage of blocked sites that are non-pornographic (i.e. for every porn site that gets blocked, how many research sites get canned along with it), and that number tends to be high. On the other hand, if you simply care about the effectiveness of blocking software in a home setting where there is no constitutional issue raised, then you look at the percentage of non-pornographic sites that are blocked, and that number tends to be low.

For example, suppose for the sake of argument that 1% of Web sites in a given sample are sexually explicit, or 100 Web sites out of 10,000. To use Judge Reed's numbers, suppose that 95% of those porn sites, or exactly 95 in this sample, are blocked, whereas of the other 9,900 sites, 5%, or exactly 495 of them, are not blocked. Then the percentage of non-porn sites that are blocked is only 5%, but the percentage of blocked sites that are non-porn is actually 83% (495 blocked non-porn sites, out of a total of 495+95=590 blocked sites). One of our past studies of blocking software did indeed sometimes find error rates of about 80%, due to errors caused by IP address blocking and filters being tripped up by keywords (even when "keyword blocking" features were supposedly turned off -- because in that case the program still blocked sites on its master blacklist, and those blacklists are frequently built by scanning the Web for keywords).

Another portion of the judge's ruling dealt with the difficulty of getting around blocking software:

Filtering companies actively take steps to make sure that children are not able to come up with ways to circumvent their filters. Filtering companies monitor the Web to identify any methods for circumventing filters, and when such methods are found, the filtering companies respond by putting in extra protections in an attempt to make sure that those methods do not succeed with their products... It is difficult for children to circumvent filters because of the technical ability and expertise necessary to do so by disabling the product on the actual computer or by accessing the Web through a proxy or intermediary computer and successfully avoiding a filter on the minor's computer... Accessing the Web through a proxy or intermediary computer will not enable a minor to avoid a filtering product that analyzes the content of the Web page requested, in addition to where the page is coming from. Any product that contains a real-time, dynamic filtering component cannot be avoided by use of a proxy, whether the filter is located on the network or on the user's computer.

After the ruling came out, I tried some of the best-known blocking software programs to see how easily they could be defeated: Net Nanny, SurfControl, CyberSitter, and AOL Parental Controls. Net Nanny and SurfControl apparently could not block https:// sites at all, so I was able to get to https://www.StupidCensorship.com/ and access anything I wanted from there, despite the fact that that site had been public for over a year. Apparently I do have the "technical ability and expertise necessary" to "access the Web through a proxy", but then again I'm not a minor, so, kids, don't hurt yourself trying that.

CyberSitter did intercept the https:// request so it did block StupidCensorship.com, but it didn't know about some of the other proxy sites that we had mailed out to our users recently. One of those did however get blocked because the word "hacking" appeared on the page -- as in,

This site is a tool for circumventing Internet censorship to promote free speech. It does not enable any hacking, cracking or any illegal activities (since it doesn't let you to access any sites that you couldn't access from home anyway).

so it's probably safe to say that if the CyberSitter filter is that paranoid, it would result in a good deal of overblocking as well. AOL Parental Controls also did not block the latest proxies, although it wouldn't let me load sites like Playboy through the proxy, presumably because it recognized the contents of the page and blocked it (so on that point, Judge Reed was right).

But none of the products could stop the doomsday weapon, which is to burn an Ubuntu Linux CD and boot from that, bypassing any security software installed under Windows. I can see your eyes glazing over at the thought of kids attempting to do that, but it's merely an unfamiliar process to most people, not actually difficult. (I've been saying for years, that with the greater difficulty of using Linux over Windows, there's nothing cool or clever about running it just for its own sake so you can feel badass, and the only time you need it is if you want to do something that only Linux lets you do. Well, here's something!)

But in spite of everything, I think the judge's conclusions about blocking software were still broadly correct, because he was comparing the merits of blocking software against the merits of a law that would have prohibited commercial pornography from being published on the Web in the United States. In talking about the "effectiveness" of such a law, the judge and lawyers cited the fact that as many as 75% of adult sites were hosted overseas anyway. But even that high number understates the situation, because hypothetically if all the porn on the Web in the U.S. did get outlawed, it would be easy for anyone to spend all their time looking at porn from outside the country. When you're talking about a supply of content that is so large that nobody could finish looking at it all if they spent the rest of their life trying, it doesn't really matter if 25% or 50% or 75% is located within your legal jurisdiction. I never stop hoping that a judge will say, "Look, pictures of naked people don't hurt anyone, no, not even people under 18. Shoot, when I was 13 and president of Future Lawyers of America, my friend gave me a copy of Playboy as a down payment for my unsuccessful attempts to defend him on curfew-breaking charges in Foot v. Ass, and look how I turned out." But even a judge who firmly believed that people under 18 were harmed by pornographic images, would have found little reason to uphold this law.

cnet-declan writes "CNET News.com reports that Republicans in the U.S. House of Representatives announced yesterday legislation to force ISPs to keep track of what their users are doing. It's part of the Republicans 'law and order agenda,' with other components devoted to the death penalty, gangs, and terrorists. Attorney General Gonzales would be permitted to force Internet providers to keep logs of Web browsing, instant message exchanges, and e-mail conversations indefinitely. The draft bill is available online, and it also includes mandatory Web labeling for sexually explicit pages. The idea enjoys bipartisan support: a Colorado Democrat has been the most ardent supporter in the entire Congress."

cnet-declan writes "We already knew the FBI can secretly listen in to car conversations by activating microphones of systems like OnStar. A new Mafia court case suggests that the FBI can do the same thing to cell phones. The judge's opinion and some background information [pdf] are available for reading online. The most disturbing thing? According to the judge, the bug worked even if the phone appeared to be 'powered off.' Anyone up for an open-source handset already?" From the article: "This week, Judge Kaplan in the southern district of New York concluded that the 'roving bugs' were legally permitted to capture hundreds of hours of conversations because the FBI had obtained a court order and alternatives probably wouldn't work. The FBI's 'applications made a sufficient case for electronic surveillance,' Kaplan wrote. 'They indicated that alternative methods of investigation either had failed or were unlikely to produce results, in part because the subjects deliberately avoided government surveillance.'"

cnet-declan writes "We already knew the FBI can secretly listen in to car conversations by activating microphones of systems like OnStar. A new Mafia court case suggests that the FBI can do the same thing to cell phones. The judge's opinion and some background information [pdf] are available for reading online. The most disturbing thing? According to the judge, the bug worked even if the phone appeared to be 'powered off.' Anyone up for an open-source handset already?" From the article: "This week, Judge Kaplan in the southern district of New York concluded that the 'roving bugs' were legally permitted to capture hundreds of hours of conversations because the FBI had obtained a court order and alternatives probably wouldn't work. The FBI's 'applications made a sufficient case for electronic surveillance,' Kaplan wrote. 'They indicated that alternative methods of investigation either had failed or were unlikely to produce results, in part because the subjects deliberately avoided government surveillance.'"

cnet-declan writes "Politicians are looking for reasons to convince citizens to vote in November, and polls say suburban parents are worried about the internet. Wednesday top House Republicans announced a bill to make 'social' Web sites unreachable from schools and libraries. The bill is intended to go after MySpace, but the actual text of the legislation covers sites that let users 'create profiles' and have a 'forum' for conversations -- which would include Slashdot and many blog sites. House Speaker Dennis Hastert claims it's necessary to stop 'dangerous predators' out here on the Interweb."

Declan McCullagh writes "We found out in mid-2004 that the RIAA was lobbying the FCC for an audio version of the broadcast flag. But because a federal appeals court slapped down the FCC's video version last year, the RIAA needs to seek formal authorization from Congress. That process finally began today when the audio flag bill was introduced. It would hand the FCC the power to set standards and regulate digital and satellite radio receivers, and RIAA Chairman Mitch Bainwol says it strikes "a balance that's good for the music, good for the fans, and good for business." The text of the bill is available online."

An anonymous reader writes "Politech has the scoop on the Bush administration's plans to forcibly implant RFID tags into homeless people in participating U.S. cities. Here's an excerpt from the UPI article: "The miniscule RFID tags are no larger than a matchstick and will be implanted subdermally, meaning under the skin. Data from RFID tracking stations mounted on telephone poles will be transmitted to police and social service workers, who will use custom Windows NT software to track movements of the homeless in real time... A second phase of the project, scheduled to be completed in early 2005, will wirelessly transmit live information on the locations of homeless people to handheld computers running the Windows CE operating system.""

Frisky070802 writes "The Politech list recently posted a pointer to a new paper (pdf) by UMN prof Andrew Odlyzko, which compares the telecom industry to the historical transportation industry (railroad, bridges, and such). One quote, from the conclusion, is particularly interesting: '... the networking industry [has] devoted inordinate efforts to technologies such as ATM and QoS, even though there was abundant evidence these were not going to succeed. One can go further and say that essentially all the major networking initiatives of the last decade, such as ATM, QoS, RSVP, multicasting, congestion pricing, active networks, and 3G, have turned out to be duds. Furthermore, they all failed not because the technical solutions that were developed were inadequate, but because they were not what users wanted.'"

Thanks to an anonymous reader for pointing to a Competitive Enterprise Institute essay for discussing lessons learned by looking at the history of open-source games (PDF link, text version as posted to Politech list.) The piece suggests that "generally, games have not been a success story for the open source community", arguing that "...the consensus among gamers and developers is that open source games still lag behind proprietary games in originality, sophistication, and artwork; many are clones of earlier proprietary or shareware games." It notes that "...the open source business model seems to have trouble coming up with large initial investments at the cutting edge of innovation, where risks are greatest", and then suggests some larger lessons for governmental public policy on open-source software.

MFS! writes "Long-time C|Net reporter and Politech operator Declan McCullagh has been contacted by the FBI, according to his most recent article. The FBI requests that he retain all records regarding his talks with Adrian Lamo. The problem? The FBI's letter was sent under the auspices of a law which applies only to internet service providers. Says Declan, "Perhaps I'd be immune from the FBI's demands if I used an Underwood No. 5 typewriter instead." Does writing online now qualify one as an ISP?"

Spamhunter asksL "Everyone has their favorite tools to stop spam at the inbox, whether it's using a scoring tool like SpamAssassin, bayesian filters, or something as extreme as challenge/response whitelists (which creates a few problems itself). What I'd like to know is, what are your tools for actively investigating and shutting down spammers? I've found information sites like SPEWS and Spamhaus to be invaluable in tracking down spam gangs and spam-friendly ISP's in order to put pressure where it belongs. Sometimes just chasing the chain of ownership in WHOIS is helpful. What tools, approaches, and resources do you find helpful?"

BadDoggie writes "Politech is reporting that your 'ownership' of music purchased from Apple's iTunes isn't what everyone considers ownership. According to the license, 'Apple may use technologies to verify' that you have not 'use[d] or attempt[d] to use the service from outside of the [United States]'. This includes Canada. Apple's 'technologies' delete the bought-and-paid-for files with no refund and no replacement when & if you leave the U.S." Update: 07/25 16:23 GMT by P : The post to Politech says the songs would "disappear," not be deleted; from the context, it seems they were merely unplayable, not deleted. Update: 07/25 21:34 GMT by M : Apple has contacted the guy, and is apparently making him happy. However, the question remains: Apple definitely doesn't want people buying new songs from outside the U.S., but do they intend to generally permit foreign users to reauthorize (in effect, retain access to) the songs they have already purchased? Apple's policy is very unclear on that point.

drdale writes "Declan McCullagh responds at CNET.com to a proposal by the Council of Europe to require Internet sites to publish replies by individuals whom the sites criticize. This would apply to all web sites, apparently, including blogs. Per McCullagh, the Council's proposals do not have the force of law, but often serve as the basis for new laws." Imagine the chilling effect if McCullagh's own politechbot and similar sites had to follow such rules.

NumberField writes "The fight against Spam is making for some strange bedfellows. A new bill sponsored by Senator Charles Schumer (D-NY) and the right-wing Christian Coalition that would let individuals sue spammers for $1000 per message. What isn't clear is how they will define spam broadly enough to outlaw it, but narrowly enough to avoid making it a bonanza for lawyers. For more information, see Schumer's fact sheet (PDF), or his press release." Update: 06/13 14:20 GMT by M : The draft bill (pdf) is available.

tsu doh nimh writes "Are spam blackhole lists good, bad or indifferent? That appears to be the question they're tackling in this Washington Post story. It has some interesting back and forth between supporters of the lists and those who claim they condone censorship." J adds: Brad Templeton recently offered some comments on the most extreme pro-blacklist position.

An anonymous reader writes "Found over at Declan McCullough's Politech, some spammers who had been written up in the NY Times found their contact info displayed on Techdirt, after they wrote about the NY Times story. Apparently, someone was trying to pull a Ralsky on the spammers. The spammers got pissed off and threatened to sue Techdirt - even though all the info was publicly available and other court cases have shown it's legal to post spammer's contact information. Techdirt, interestingly, took the contact info down because they feel that no one should get spammed. I'm kind of torn on this one. On the one hand, I respect Techdirt for taking such a stand, but on the other, I feel that the spammers clearly deserve to be spammed back. The fact that they threatened Techdirt, despite them not having done anything wrong (it wasn't even the folks at Techdirt who posted the info - but some readers), makes me even angrier at the spammer."

87C751 writes "There has already been some discussion about Michigan and other states implementing new laws to protect "communication services", with results that could ban NAT, VPNs and even email encryption. Mike Godwin, of EFF fame, has looked into this subject a bit deeper, and makes a frightening observation. Among other things, this PDF report draws an ugly conclusion: As written, these "mini-DMCA" acts change the legislative focus radically, such that all technology that is not expressly permitted by a communications provider will be prohibited. Is this the backdoor maneuver that will turn the net into television once and for all?"

Slashback tonight brings you a boatload of updates and amplification to previous Slashdot stories, including: the outcome of the RIAA-driven administrative crackdown on file trading at the U.S. Naval Academy, the legal status of ambiguously labeled Microsoft "gimme" software, more information on the insecurities of Blackboard's card-based payment system, and more. Read on for the details!

Every day, in every way, I am becoming a better and better Lt. Junior Grade. alanjstr writes "The Baltimore Sun reports 'The Naval Academy has disciplined 85 students who used a military Internet connection to illegally swap copyrighted music and movies, but it stopped short of carrying out its threat to impose the maximum penalties of expulsion or court-martial, an academy document shows.' It goes on to say that the raid was spurred less by the RIAA and more by the threat of losing the internet connection due to the enormous amount of bandwidth consumed. The academy had given students several warnings before raiding the dorm rooms. Some of the hard drives seized last November were found to contain one or two copyrighted files, while others ran into the hundreds or thousands."

I bet they could make a better agreement with Xiph.org Magnetic Confinement writes "In an effort to make life more difficult for civic-minded Mac users, NPR has decided to drop Quicktime from its available streams. Nothing specific on their webpage addresses it, just some suspicious vacancies remain. Their helpdesk response is officially:

'NPR.org had been offering some of its audio in the Apple QuickTime format under an arrangement with Apple QuickTime. We regret that we were unable to reach mutually acceptable terms for a new arrangement with Apple QuickTime. As a result, NPR is unable to continue offering its content in this format.

You can also contact Apple QuickTime directly at: quicktime@apple.com

Weston
NPR Online'"

A note that got lost in the bin for too long ... JulesVD writes "Microsoft has agreed to tweak its Windows XP operating system in response to recent feedback from the Justice Department over its antitrust settlement with the federal government. (See news on Yahoo!) Microsoft will give more prominent display to a button in Windows that allows computer users to remove the company's Internet Explorer browser, company spokesman Jim Desler said. The Justice Department is overseeing Microsoft's compliance with the settlement. Placement of the button in a hard-to-reach spot in Windows was one of several complaints Microsoft's rivals made to the department last year."

Proportionality isn't just for the personals. You may still be boggling (I am) at the recently announced RIAA suits alleging that colleges and college students are liable for billions of dollars in damages to the music industry for facilitating online file trading. Reader Derek Lomas writes in with another editorial indicating "growing support at Yale for legal alternatives".

Even biggerness. The Gathering is billed by some as the the world's largest computer party. MC68040, though, writes "I'd like to remind everyone to have a look at dreamhack, that 'also' is the largest LAN in Sweden twice a year ... Which had over 5000 participants in 2001 and even more in 2002.. *arhem* Biggest you say?"

If you want to fight about "LAN party" vs. "Computer party," leave me out of it!

How about calling it "900t"? An anonymous reader writes "As previously reported, mozilla.org's Phoenix browser has been renamed to Firebird. This hasn't pleased supporters of the Firebird relational database project. In an Australian LinuxWorld article, one of their administrators calls the name change "one of the dirtiest deeds I've seen in open source so far." In a MozillaZine article, the same person accused mozilla.org of "theft" and "corporate bullying". They don't explain how it was different when they picked a name that was already used by a BBS, financial software manufacturer, Fenix IDE and games company. Meanwhile, IBPhoenix, an organisation that supports the development of the Firebird database, has put up a protest page, encouraging people to spam the MozillaZine forums (even though MozillaZine had nothing to do with the decision) and send masses of email to many Mozilla developers (most of whom were not involved in selecting the new name). I find it rather hypocritical that the Firebird database people are accusing Mozilla of "the filthiest of dirty tricks" while at the same time advocating the harassment of many Mozilla developers."

Point of clarification. batkid writes "In response to the article 'Microsoft pirating their own software,' Seems like MS is taking it pretty seriously. I got the following response from Microsoft (I am a faculty member, but the response should be the same to students).

April 9, 2003

RE: Visual Studio .NET Professional Edition and Windows XP Professional software distributed during the Microsoft Faculty Seminars

Dear Faculty Member, Thank you for attending the recent Microsoft Faculty Seminar. The purpose of this letter is to clarify questions concerning the legal use of the Visual Studio .NET Professional and Windows XP Professional software distributed to faculty who attended the Seminar. The software received is governed by the electronic license embedded in the product set up that appears prior to installation and no additional documentation is required.

Notwithstanding language on the CD label for the copies of Visual Studio .NET Professional Edition and Windows XP Professional Edition that you received during your attendance at the Seminar, which appeared to indicate that a separate license document was required in order for you to legally use the software, this letter will confirm that use by you of the software received is governed by the electronic license embedded in the product setup that appears prior to installation.

You are required to agree to accept the terms and conditions of this license prior to proceeding with the products' installation. Acceptance by you of these "Click to Accept" licenses is the only license required for your use of the copies of Visual Studio.NET Professional Edition and Windows XP Professional Edition received. We recommend that you keep a copy of this letter in your personal files for future reference."

Thanks for passing that along.

What if Masterlock security was assured this way? Monday, you read that security researchers Billy Hoffman and Virgil Griffith (known as Vergil and Acidus) were were prevented from speaking at a security conference by means of a Cease and Desist order from Blackboard, Inc.. The two planned to talk about security flaws found in Blackboard's Transaction System.

In a mail posted at Declan McCullagh's Politech mailing list, David Yaskin of Blackboard responds to the criticism that the company's legal action has drawn. John R. Hall has posted a FAQ explaining some particulars of the Blackboard Transaction System which Virgil and Acidus aren't at liberty to discuss, as well as contradicting some claims that Yaskin makes in the posted email.

On Saturday night, Virgil and Acidus, two young security researchers, were scheduled to give a talk at Interz0ne II on security flaws they'd found in a popular ID card system for universities. It's run by Blackboard, formerly by AT&T, and you may know it as OneCard, CampusWide, or BuzzCard. On Saturday, instead of the talk, attendees got to hear an Interz0ne official read the Cease and Desist letter sent by corporate lawyers. The DMCA, among other federal laws including the Economic Espionage Act, were given as the reasons for shutting down the talk (but -- update -- see the P.P.S below). I spoke with Virgil this morning.

Virgil was there two years ago when Dmitri Sklyarov was arrested and led away in handcuffs at Def Con 9. He's not in handcuffs now, but in speaking to me, he had to stop and think about everything he said, and every third answer was "I really shouldn't talk about that."

The DMCA is largely to thank for that. Section 1201 states that no one "shall circumvent a technological measure that effectively controls access to a work," and that no one "shall... offer to the public... any technology" to do so. Blackboard Inc., whose card system is called the Blackboard Transaction System and known to end users under various names, uses a network of card readers and a central server, and they communicate over RS-485 and Internet Protocol -- using, or so they apparently claim, measures that effectively control access.

For the record, none of what I learned about the Blackboard technology was from him or Acidus after the restraining order was sent. I spoke to other people, who have not been served with a restraining order. Google has a less enlightening mirror of the slide titles from this weekend's PowerPoint presentation and a more enlightening mirror of Acidus's "CampusWide FAQ" from last July. And, most enlightening of all, this mirror has an updated version with details on what they figured out how to do and what their talk was going to be about (click "CampusWide" for the text description, the PowerPoint slides, and Acidus's timeline of the last year).

At many schools, Blackboard's system is the ID: you swipe your card for your meal plan at the cafeteria, to get into your dorm, maybe even to get your final exam.

A swipe at a vending machine will get you a soda -- a money transaction from your campus debit account. When you use a swipe to do laundry and make copies, money has to be involved. Blackboard even notes that they can set up a merchant network on- and off-campus: "a cashless, safe, and secure way to transact on and around campus while offering parents the assurance that their funds will be spent within a university-approved network." (Emphasis added. Maybe readers who go to schools that use such a system can expand on how that system is used.)

The kicker, of course, is that this network is not very secure, or at least Blackboard doesn't think it's as secure as... well, as lawyers. One anonymous Slashdot submitter wrote that: "The authentication system is so weak that [Virgil and Acidus] have been able to create a drop in replacement for the CampusWide network debit card readers used on coke machines on campus."

Virgil couldn't provide me any details about what he had learned about the system. Based on the mirrors, it looks like a man-in-the-middle replay attack -- which is a pretty simple attack, repeating messages sniffed over the RS-485 protocol, or even over IP -- can have effects like convincing a Coke machine to dispense free product. Or, it's claimed, the attacker can create a temporary card, with no name attached, and free money in its account. Hmmmmm.

Or, more ominously, someone else's identification might be sniffed, and then replayed from a security terminal. If a thief gained entrance to a building by sending the message "open the door, my name is John Doe," the real John Doe might be sorely inconvenienced the next morning.

So, if you're a student at a school that uses Blackboard, do you feel more secure now that the DMCA has tried to stop you from learning about its security flaws?

If you're a parent putting money into a Blackboard-based debit account, do you feel more confident of its safety now that this information is ostensibly hidden?

This card system has been installed on many campuses and its roots go back almost twenty years. My guess is that replacing the card-reading hardware would be necessary to improve the security of these devices. Obviously, Blackboard would be hard-pressed to replace thousands of hardware devices at all its locations, even if they'd started in late 2001 when Acidus claims he called to tell them of the flaws he'd found (and "was blown off").

So, assuming that's not possible -- is the DMCA a viable tool to ensure security?

P.S. Virgil tells me that he has a good lawyer. They are scheduled to argue on Thursday that the restraining order not be made permanent. Slashdot will keep you apprised of what happens in our Slashback stories... stay tuned.

P.P.S. Update: 04/15 02:30 GMT by J : Now online are the restraining order, which just lists the six things that Acidus and Virgil are not to do, and the more detailed Complaint. Now that these are available, as Declan McCullagh points out, it turns out the DMCA was only in the lawyers' threatening letter and not considered as part of the Complaint itself. I'm not sure why it would be included in the letter -- some of the language of the Georgia Computer Systems Protection Act is similar, and who knows, Section 1201 might be mentioned later on, as this case progresses. Maybe the lawyers are just keeping their options open. Meanwhile, I love this part of the Complaint:

"Mr. Hoffman openly acknowledges on his website that 'I am a hacker.' His website then defends the process of hacking. See Exhibit B."

vudujava writes "c|net is reporting that a new free (Update: not free, actually, read more for details.), web based email service is opening it's doors today. They promise to deliver "100% spam free" email to their users by using a challenge-response system to all incoming, first-time mail. Catch the entire story here. Although the idea isn't new, it shows that we are notching up the "war on spam"." Alert reader George Hotelling points out this post on Politech which may give you pause when it comes to the new mail service's Terms of Service. And kraksmoka writes "As reported on this article on MSNBC : 'Hotmail subscribers are now limited to sending only 100 messages a day "in an effort to prevent spammers from using Hotmail to spread spam," said Lisa Gurry, MSN lead product manager.'" dlanod writes "In your snippet on the main page you report mailblocks.com as "a new free, web based email service". Looking at Mailblocks' site, it actually costs $9.95/year for the standard service, or $24.95/year for the expanded service with no free option listed (https://app1.mailblocks.com/register.htm)."

Freerange writes "Mike Masnick wrote up his experience getting slammed by a somewhat new kind of spam attack that doesn't get much hype (yet?). A spammer spoofed his personal email address as the 'reply-to' for a batch of spam, with interesting results for Mike: "I can now answer the questions 'who replies to spam?' and (should anyone ever wonder) 'what are the hundreds of variations on bounced messages?'" From Politech."

Slashback with updates and amplifications on Apple's stance on DRM, EasyInternetCafe's court battle over CD burning, a copyright law being drafted after Lessig's own heart, the lawyer vs. eBay saga, and VoIP calling with Linux. Read on below for the details.

But sir, all of these songs are under the Open Content License! atta1 writes "In an article on The Register, EasyInternetcafe has lost its court battle against British Phonographic Industry (BPI) over burning downloaded music to CD."

When last mentioned (August of last year), EasyInternetCafe was trying to avoid fines from BPI for letting Internet cafe customers burn to CD music they'd downloaded there.

After all, somebody's got to write 'em. g_adams27 writes "Several weeks ago, Larry Lessig proposed anti-spam legislation he'd like to see Congress pass -- legislation which he was willing to bet his job on. Now it looks like Washington might be taking his bet... and they want us to help out!

A congressional aide appears to be drafting legislation based on Larry's suggestions and is asking the Politech list for suggestions. The proposed law is posted here."

IP leases are nicer than telephone leases. Lots of people were interested in the story posted the other day about VoIP support in GnomeMeeting. I mentioned there that theKompany had a VoIP application for Zaurus owners; Shawn Gordon of theKompany writes with information about a forthcoming desktop version as well.

"So we released tkcPhone a few weeks ago, we found some issues with Net2Phone that we've just finished sorting out today, and we've about wrapped up the tkPhone beta, which we expect in a day or two. Having tkPhone allows us to do some things we couldn't on the Zaurus, like make use of a Speex codec which is part of the Xiph umbrella these days, we couldn't use it on the Zaurus because it requires floating point support. We also can have a system tray notifier and a roomier user interface. Because we spent so much time optimizing everything to work on the Zaurus, it means your desktop performance is going to be very good.

We decided to use SIP as opposed to H323 for a lot of reasons: smaller, faster, lighter, newer, easier hardware requirements. So with our phone a regular sound card and a headset/mic will typically suffice for what you need or want to do. Our arrangement with Net2phone means that in addition to PC-to-PC calls, you can make PC-to-phone and PC-to-mobile calls as well. The prices range from free to as little as $0.02 per minute in the U.S. and $0.03 minute internationally. You're already paying for your internet access, might as well start to piggyback this stuff.

tkPhone is not free however, it is $9.95 for the electronic version of the application. We expect to have it up for sale about February 10, 2003."

And as several readers pointed out, if you're interested in VoIP on Linux, you should also check out the sites of both the Bayonne project (mentioned several times before)and asterisk (also discussed here).

You mean they're against my inalienable right to watch movies for free? geekee writes "An article on CNET states that the Internet Streaming Media Alliance (ISMA) will include DRM support in the MPEG-4 open standard. Without DRM, the ISMA doesn't believe MPEG-4 will be able to compete against proprietary standards such as that provided by Microsoft since content owners 'want continually improved tools, with rights management.' For instance, Movielink, an online movie rental source, has opted to support Microsoft and RealNetwork formats because of their DRM capabilities. An interesting thing to note is that Apple is a member of the ISMA, and has previously declared its opposition to DRM."

Money talks, and sometimes it says nasty things. scubacuda writes "Since eBay removed the alleged libelous statements, Roger Grace has agreed to drop his libel lawsuit for $2.5 million in punitive damages from eBay and $100,000 from Tim Neeley (who wrote that the magazines he bought from Grace had arrived late and in a worse condition than advertised). Interestingly, eBay removed the feedback not because it was 'negative,' but rather because 'the contact information for the seller was not correct.' Chris Donlay, eBay spokesman, says, '[T]hat is one of the circumstances in which we will consider removing the feedback,' EBay attorneys even went to far as to claim that Grace's original lawsuit is 'completely without merit.'"

(Here's the Slashdot post from last Saturday, 'Attorney Sues eBay over Negative Feedback'.)

Slashback with updates and amplifications on Apple's stance on DRM, EasyInternetCafe's court battle over CD burning, a copyright law being drafted after Lessig's own heart, the lawyer vs. eBay saga, and VoIP calling with Linux. Read on below for the details.

But sir, all of these songs are under the Open Content License! atta1 writes "In an article on The Register, EasyInternetcafe has lost its court battle against British Phonographic Industry (BPI) over burning downloaded music to CD."

When last mentioned (August of last year), EasyInternetCafe was trying to avoid fines from BPI for letting Internet cafe customers burn to CD music they'd downloaded there.

After all, somebody's got to write 'em. g_adams27 writes "Several weeks ago, Larry Lessig proposed anti-spam legislation he'd like to see Congress pass -- legislation which he was willing to bet his job on. Now it looks like Washington might be taking his bet... and they want us to help out!

A congressional aide appears to be drafting legislation based on Larry's suggestions and is asking the Politech list for suggestions. The proposed law is posted here."

IP leases are nicer than telephone leases. Lots of people were interested in the story posted the other day about VoIP support in GnomeMeeting. I mentioned there that theKompany had a VoIP application for Zaurus owners; Shawn Gordon of theKompany writes with information about a forthcoming desktop version as well.

"So we released tkcPhone a few weeks ago, we found some issues with Net2Phone that we've just finished sorting out today, and we've about wrapped up the tkPhone beta, which we expect in a day or two. Having tkPhone allows us to do some things we couldn't on the Zaurus, like make use of a Speex codec which is part of the Xiph umbrella these days, we couldn't use it on the Zaurus because it requires floating point support. We also can have a system tray notifier and a roomier user interface. Because we spent so much time optimizing everything to work on the Zaurus, it means your desktop performance is going to be very good.

We decided to use SIP as opposed to H323 for a lot of reasons: smaller, faster, lighter, newer, easier hardware requirements. So with our phone a regular sound card and a headset/mic will typically suffice for what you need or want to do. Our arrangement with Net2phone means that in addition to PC-to-PC calls, you can make PC-to-phone and PC-to-mobile calls as well. The prices range from free to as little as $0.02 per minute in the U.S. and $0.03 minute internationally. You're already paying for your internet access, might as well start to piggyback this stuff.

tkPhone is not free however, it is $9.95 for the electronic version of the application. We expect to have it up for sale about February 10, 2003."

And as several readers pointed out, if you're interested in VoIP on Linux, you should also check out the sites of both the Bayonne project (mentioned several times before)and asterisk (also discussed here).

You mean they're against my inalienable right to watch movies for free? geekee writes "An article on CNET states that the Internet Streaming Media Alliance (ISMA) will include DRM support in the MPEG-4 open standard. Without DRM, the ISMA doesn't believe MPEG-4 will be able to compete against proprietary standards such as that provided by Microsoft since content owners 'want continually improved tools, with rights management.' For instance, Movielink, an online movie rental source, has opted to support Microsoft and RealNetwork formats because of their DRM capabilities. An interesting thing to note is that Apple is a member of the ISMA, and has previously declared its opposition to DRM."

Money talks, and sometimes it says nasty things. scubacuda writes "Since eBay removed the alleged libelous statements, Roger Grace has agreed to drop his libel lawsuit for $2.5 million in punitive damages from eBay and $100,000 from Tim Neeley (who wrote that the magazines he bought from Grace had arrived late and in a worse condition than advertised). Interestingly, eBay removed the feedback not because it was 'negative,' but rather because 'the contact information for the seller was not correct.' Chris Donlay, eBay spokesman, says, '[T]hat is one of the circumstances in which we will consider removing the feedback,' EBay attorneys even went to far as to claim that Grace's original lawsuit is 'completely without merit.'"

(Here's the Slashdot post from last Saturday, 'Attorney Sues eBay over Negative Feedback'.)

Slashback tonight with word on the (groan) fate of Iridium, more Speak n' Spell modding, examples of Serial ATA oozing to market, the RIAA versus mandatory DRM, and more. Read on for the updates.

In this household, we obey the laws of physics! Tuesday before last, we mentioned that two scientists had announced what they claim is the first accurate measure of the speed of gravity.

Now, Emperor_Alikar writes "In an article on Space.com, many physicists have criticized the current work on the speed of gravity, calling it 'nonsense' and 'simply incorrect.' Many of them still doubt the claims made by Fomalont and Kopeikin even before the results were even announced. Many of the physicists still hold on to the idea that gravity works instantaneously no matter what the distance, an idea that originated by Newton, but that was argued against by Einstein."

Back from the back from the back from the dead. Checkers writes "Spacedaily.com posted the following two stories about Iridium today. The first story is about the DoD committing the first of three renewal options that will use Iridium through 2005. The second story related story is about an agreement inked between Iridium and Harris Corp. that allows Iridium the right to use Harris' OS/COMET satellite command and control system for the life of the Iridium satellite network."

E.T. was also into this scene. In re: matt simpson writes "Another fantastic Speak & Spell modder is Dave Wright of the band "not breathing". You can check his work out, among other modifications to toys, at www.carrionsound.com Dave has made speak & spell/math/read for Nine Inch Nails, Meat Beat Manifesto, and many other bands. Figured you might be interested in other neat synth hackers :)"

Further evidence, never a good time to buy. SpinnerBait writes "It's seems like Serial ATA Controllers have been on the market forever but where have all the Serial ATA Hard Drives been? The wait seems to finally be over, as HotHardware shows with this review and showcase on a pair of new Seagate Barracuda V Serial ATA drives. This article covers benchmarks with the product in single drive configurations, as well as RAID 0. In addition, they show performance on two different SATA controllers, from Promise and Silicon Image. And oh, those nice thin neat little SATA cables! Gotta love 'em."

We've had a few articles about Serial ATA; I hope it lives up to its reputation.

Just to add to the confusion ... probejockey writes "A current article in the Globe and Mail claims SCO will start collecting licensing fees from some Linux users, not all Linux vendors as previously reported here."

Birds of a feather, separate rooms. Finally, Declan McCullagh sent in a few interesting links yesterday regarding the RIAA and its announced opposition to mandated DRM technologies:

"First, here are the photos from today's press conference.

Second, the supposed news of today's announcement was that the RIAA would no longer pursue mandatory-DRM technologies like the Hollings bill. But it was the MPAA that was behind Hollings from the beginning (September 2001). And when Hollings finally introduced his bill in March 2002, it was the MPAA that endorsed it, while the RIAA pointedly did not."

Thanks to Declan for the links.

Wasn't smart enough to get in, either ... Finally, thanks to the several readers who alerted me by email and in comments that the school variously rendered Cal Tech, CalTech and other things even worse is in fact properly spelled "Caltech."

boijames writes "In the latest bit of DMCA lunacy, copyright guru David Nimmer turned me onto a case that his firm is defending, where a garage door opener company (The Chamberlain Group) has leveled a DMCA claim (among other claims) against the maker of universal garage door remotes (Skylink)."

kien writes "Lawrence Lessig is betting his position at Stanford on his anti-spam legislative recommendations. From his blog:'First the analysis: Philip Jacob has a great piece about spam and RBLs. The essay not only identifies the many problems with RBLs, but it nicely maps a mix of strategies that could be considered in their place. But, alas, missing from the list is one I've pushed: A law requiring simple labeling, and a bounty for anyone who tracks down spammers violating the law. Here goes: So (a) if a law like the one I propose is passed on a national level, and (b) it does not substantially reduce the level of spam, then (c) I will resign my job. I get to decide whether (a) is true; Declan can decide whether (b) is true. If (a) and (b) are both true, then I'll do (c) at the end of the following academic year.' The Declan referred to in point (b) is Declan McCullagh." Update: 01/07 02:45 GMT by T : Speaking of whom, here is Declan's acceptance of Larry's bet.

kien writes "Lawrence Lessig is betting his position at Stanford on his anti-spam legislative recommendations. From his blog:'First the analysis: Philip Jacob has a great piece about spam and RBLs. The essay not only identifies the many problems with RBLs, but it nicely maps a mix of strategies that could be considered in their place. But, alas, missing from the list is one I've pushed: A law requiring simple labeling, and a bounty for anyone who tracks down spammers violating the law. Here goes: So (a) if a law like the one I propose is passed on a national level, and (b) it does not substantially reduce the level of spam, then (c) I will resign my job. I get to decide whether (a) is true; Declan can decide whether (b) is true. If (a) and (b) are both true, then I'll do (c) at the end of the following academic year.' The Declan referred to in point (b) is Declan McCullagh." Update: 01/07 02:45 GMT by T : Speaking of whom, here is Declan's acceptance of Larry's bet.

StCredZero writes "Along the same lines as the earlier article about Poindexter's info being posted, C|Net has an interesting editorial by Declan McCullagh on how to protect our personal information from unauthorized snooping by the authorities, yet let them have a database for tracking down terrorists. McCullagh's solution is based on algorithms developed for Digital Cash."

Info is trickling in about Jon Johansen's trial In Norway, where he is accused of violating Norwegian law. Aftenposten and VG Nett have stories, and there's at least one amateur account of the trial. The trial is supposed to last a week, and I'm sure Slashdot will keep up with it, so please submit only *new* stories about it, thanks.

Slashback with more on Salon's struggle to balance ads and subscriptions, online retailers versus online bargain hunters, the not-at-all-secret government proposal to obtain "Total Information Awareness" (including information about you), and more.

Circumventing the upsell, but not all of it. Responding to the recent post about cable service a la carte, alta writes "I got a response from Jane Black (who wrote the original article) and she said slashdot jumped the gun. You can not pick and choose which channel you want. You can just choose to get basic limited and premium without getting the 2 steps in between. Here's the actual piece of law:

"Buy-through of other tiers prohibited - A cable operator may not require the subscription to any tier other than the basic service tier required by paragraph (7) as a condition of access to video programming offered on a per channel or per program basis. A cable operator may not discriminate between subscribers to the basic service tier and other subscribers with regard to the rates charged for video programming offered on a per channel or per program basis.

Read it all here. Here's what Jane said:

'But please make sure you understand the rule (Slashdot's headline was misleading indeed.) You can't just choose which channels you want. The new rule says that you can get basic (the network and cspan etc) plus HBO/Starz/Showtime *without* having to buy the standard package as well. If you want AMC, Lifetime, whatever, you still need to buy the whole package. Make sense?'

If you still need it, you can find more about the law here. Just type 543 in the "Section" field. The citation is: Section 623(b)(8) of the Communications Act of 1934, as amended. Found at volume 47 of the US Code Section 543(b)(8)"

The Salon dilemma. A Slashdot post last week reported that Salon was in serious financial trouble, and had dropped its premium section and instituted giant ads. Salon has now moved to over-the-counter trading. "While we valued the prestige of a NASDAQ listing, this move to the OTC market should not affect our core business," says Salon's president and CEO in the story. Update: 11/26 00:42 GMT by J : One correction: Salon has not dropped its premium section.

Dole, or Hormel? MacAndrew writes "As briefly discussed in slashdot a few weeks ago, Senator-elect Elizabeth Dole has been sued by a constituent who received eight unsolicited emails from her. He claims $100 damages including "emotional distress for having received spam from someone who should know better." Salon has now published an article focusing on the critical political versus commercial speech aspect of the case. Courts have recognized political speech as the innermost circle of free speech protection, and groups such as the Electronic Frontier Foundation believe spam laws that interfere with it may be not just unwise but unconstitutional."

Surely, someone's wallet will end up fat. In reaction to the recent story about provisions of the DMCA being used to prevent the posting of post-Thanksgiving sales prices from large retailers, Brian McWilliams writes "I finished up my story about FatWallet after you posted that link on Slashdot. Might help explain some stuff."

Well, we thought this here panopticon would be a nice idea ... McLuhanesque writes "DARPA has posted the architecture for their Total Information Awareness Systems , the uber-database that purports to suck in every scrap of electronic information about everyone, mix in some Human ID at a Distance technology, among other stuff, and profile ... well, just about everyone. More of their proposed fun and games are listed here." And Declan McCullagh writes: "Just posted the transcript of the Pentagon news briefing (worth a read) on Politech. Note this is on the TIA program, not 'eDNA.'

$10,000 is nothing to sneeze at. The idea of buying code into the world of Free software (aka code Ransom, as mentioned on Slashdot a few days ago) is drawing interest. waxed writes "FreePepper is an effort to collect enough money to purchase the source code for the multiplatform text editor Pepper from its author, Maarten Hekkelman, who has ceased development of it and re-release it under a BSD-style license. Donations may be made via PayPal or cheque."

die_jack_die writes "Declan McCullagh, formerly of Wired News, lately at News.com, has written an insightful piece about the realities of geek activism. Short version: spend your time coding, not lobbying. (You might also want to check out Politech , his mailing list for this sort of stuff.)" This in contrast to Lessigs call for more lobbying.

Slashback items tonight include a hopeful picture of the Futurama future, good news for Ziff-Davis fans worried about bankruptcy, video-release updates for two films reviewed on Slashdot, and more -- read on for the details.

This would be reason enough to have cable. MrChubble writes: "Seems that futurama isn't as dead as previously believed. Here is a quote from a someone's experience at ComicCon: "Julie Schwartz Slide Oddball Comics Show (Hilarious as usual), and at the FUTURAMA panel they showed a preview of a forthcoming episode in which Fry, Leela and Bender become super-heroes. One thing they didn't mention at the panel, was the news that FUTURAMA would be joining Cartoon Network's ADULT SWIM in the near future." Is this too good to be true?"

We have semi-successfully identified a potential security problem ... Jim Driggers writes: "You guys recently had an article on how to escalate one's security status on a Win32 machine. The article included a link to a download called shatter.exe. My Norton antivirus says it contains the beavuh virus. I don't have IIS 5, so it is not a worry for me, but I thought you guys should know."

Actually, it shouldn't be a worry for anyone: apparently, the shatter.exe file triggers some anti-virus software, but according to several readers this is a false alarm.

How to win friends and influence people. In response to this posting ("Congress to Ashcroft: Go After Song Swappers"), Declan McCullagh writes: "FYI I've placed the congressional letter to Attorney General Ashcroft here: Also see this analysis from last summer on why P2P piracy violates the federal No Electronic Theft act: 'Duncan Frissell on why Napster users are federal felons'."

Up against the wall (of videos). An anonymous reader writes "Looks like the film Revolution OS finally makes it to a small screen near you. First copies available at HP booth at LinuxWorld, San Francisco.

It includes footage from LinuxWorld '99 in San Jose where Stallman accepts the "Linus Torvalds Award" from the hand of Linus and proceeds to talk about why Linux should be called GNU/Linux". This is a treasure."

In addition, for the skateboard-inclined, note that Dogtown and Z-Boys is finally out on DVD, too.

Slimmer and trimmer like I ought to be. prostoalex writes "The rumors of Ziff Davis filing for Chapter 11 can just stay rumors, as company claimed it achieved a compromise with bondholders on financial restructuring. Recently ZD has been shutting down a sleuth of print publications including Yahoo! Internet Life, Family PC, Expedia Travels, Interactive Week, eShopper and Smart Business. It is still a publisher of eWeek, PC Magazine, CIO Insight, ExtremeTech and other computer and gaming magazines."

Slashback items tonight include a hopeful picture of the Futurama future, good news for Ziff-Davis fans worried about bankruptcy, video-release updates for two films reviewed on Slashdot, and more -- read on for the details.

This would be reason enough to have cable. MrChubble writes: "Seems that futurama isn't as dead as previously believed. Here is a quote from a someone's experience at ComicCon: "Julie Schwartz Slide Oddball Comics Show (Hilarious as usual), and at the FUTURAMA panel they showed a preview of a forthcoming episode in which Fry, Leela and Bender become super-heroes. One thing they didn't mention at the panel, was the news that FUTURAMA would be joining Cartoon Network's ADULT SWIM in the near future." Is this too good to be true?"

We have semi-successfully identified a potential security problem ... Jim Driggers writes: "You guys recently had an article on how to escalate one's security status on a Win32 machine. The article included a link to a download called shatter.exe. My Norton antivirus says it contains the beavuh virus. I don't have IIS 5, so it is not a worry for me, but I thought you guys should know."

Actually, it shouldn't be a worry for anyone: apparently, the shatter.exe file triggers some anti-virus software, but according to several readers this is a false alarm.

How to win friends and influence people. In response to this posting ("Congress to Ashcroft: Go After Song Swappers"), Declan McCullagh writes: "FYI I've placed the congressional letter to Attorney General Ashcroft here: Also see this analysis from last summer on why P2P piracy violates the federal No Electronic Theft act: 'Duncan Frissell on why Napster users are federal felons'."

Up against the wall (of videos). An anonymous reader writes "Looks like the film Revolution OS finally makes it to a small screen near you. First copies available at HP booth at LinuxWorld, San Francisco.

It includes footage from LinuxWorld '99 in San Jose where Stallman accepts the "Linus Torvalds Award" from the hand of Linus and proceeds to talk about why Linux should be called GNU/Linux". This is a treasure."

In addition, for the skateboard-inclined, note that Dogtown and Z-Boys is finally out on DVD, too.

Slimmer and trimmer like I ought to be. prostoalex writes "The rumors of Ziff Davis filing for Chapter 11 can just stay rumors, as company claimed it achieved a compromise with bondholders on financial restructuring. Recently ZD has been shutting down a sleuth of print publications including Yahoo! Internet Life, Family PC, Expedia Travels, Interactive Week, eShopper and Smart Business. It is still a publisher of eWeek, PC Magazine, CIO Insight, ExtremeTech and other computer and gaming magazines."

80bower writes "Looks like Microsoft is going to allow an MIT student to display security flaws in the XBOX and won't use the DMCA to stop him. Read about it at EFF via Politech." Microsoft deserves kudos for this. But it is a sad state of affairs when people deserve kudos for NOT doing things.

nekid writes "ZDNet is reporting that the RIAA's website was hit by a denial-of-service (DoS) attack over the weekend, most likely in response to their endorsement of legislation that would give them permission to do the same to personal computers that are pirating music (see earlier article). Seems to me that they are killing themselves with bad public relations..." But it seems to me that they don't care, and are instead banking on the ignorance of the bulk of the world.

The news has been buzzing around for the last couple of days that Representative Berman, whose palm has been crossed with silver by the entertainment industry, would introduce a bill permitting copyright holders to hack or DoS people allegedly distributing their works without permission. Well, the bill has been introduced - read it and weep. Although the bill wouldn't allow copyright owners to alter or delete files on your machine, they would be allowed to DoS you in essentially any other way. Let me restate that: the MPAA and RIAA are asking that they be allowed to perform what would otherwise be federal and state criminal acts and civil torts, and you will have essentially no remedy against them under any laws of the United States.

The news has been buzzing around for the last couple of days that Representative Berman, whose palm has been crossed with silver by the entertainment industry, would introduce a bill permitting copyright holders to hack or DoS people allegedly distributing their works without permission. Well, the bill has been introduced - read it and weep. Although the bill wouldn't allow copyright owners to alter or delete files on your machine, they would be allowed to DoS you in essentially any other way. Let me restate that: the MPAA and RIAA are asking that they be allowed to perform what would otherwise be federal and state criminal acts and civil torts, and you will have essentially no remedy against them under any laws of the United States.

al3x writes "I attended the Digital Rights Management Workshop held this afternoon at the Dept. of Commerce in my home town of Washington, DC. Though there were a number of professional journalists present, some of whom have already gotten their story on the event out, I want to offer a view less constrained by the need for journalistic objectivity, and share the eye-opening experience I wasn't expecting." al3x's story follows; Grant Gross of Newsforge attended and wrote up his experiences; and besides the News.com story, Declan also took a bunch of photographs. However, he has misidentified Jay Sulzberger in the photographs and story - this is Jay Sulzberger, not the guy kneeling at the table. Update: 07/18 15:07 GMT by M : The kneeler is now identified as Brett Wynkoop.

al3x's report:

I arrived early, heeding the warnings of first-come, first-served seating. With the small room packed to standing room only, this paid off. In addition to the panelists, listed on the Workshop's site above, notable included Robin Gross, attorney with the Electronic Frontier Foundation, Richard Stallman of the Free Software Foundation, and journalist and Politech list-founder Declan McCullagh. Lobbying groups distributing materials to the audience included New Yorkers for Fair Use and the American Library Association. Several interns from NIST and a couple of other young folks like myself showed up unaffiliated with any group, and the remainder of the crowd appeared to be typical Washington: lawyers, politicos, journos (professional and college), and think-tankers. A proper press kit was noticeably (and notedly, by said journos) absent.

As the talks began, I was brimming with the enthusiasm and anger of an "activist," overjoyed at shaking hands with the legendary Richard Stallman, thrilled with the turnout of the New Yorkers for Fair Use. My enthusiasm and solidarity, however, was to be short lived. The Workshop's effective chairman and moderator, Chief of Staff and Under Secretary of Commerce for Technology Phillip Bond, offered some opening remarks touching on their previous meeting, held this past December, including noting that piracy has risen, particularly in the music industry. After further welcomes from James Rogan, Under Secretary for Intellectual Property, who acknowledged having worked with many members of the "roundtable." Rogan suggested that there were "no villains present," which drew the first of a number of chortles from the NY Fair Use crowd and their sympathizers. First on the table was a discussion of progress towards standards for Digital Rights Management (DRM henceforth).

This rather dry topic, upon which there appeared to be little consensus or definite progress, was dealt with relatively quickly, sparking only a handful of interesting and notable concerns. Here the clear divide between the tech industry and "content" industry (the movie studios , record industry, etc.) became apparent. Andy Setos of the Fox Entertainment Group called for attention to the "analog hole" in DRM standards, stating "from [the point content reaches analog televisions] it's a freeforall." The sentiment was echoed by several of the other content providers, and reiterated throughout the discussions. Oddly, with a number of opinions bounced around and no coherent conclusion, moderator Bond moved on, blessing the segment of discussion as having been productive.

Moving to discussions of business models, technological viability, and the government's role, the panelists took the gloves off and came out swinging. And as the discussion started to get juicier, so the "activists" got noisier. Comments from the RIAA's Mitch Glazier that there is "balance in the Digital Millennium Copyright Act" (DMCA), drew cries and disgusted laughter from the peanut gallery, who at that point had already been informed that any public comments could be submitted online. Even those in support of Fair Use and similar ideas began to be frustrated with the constant background commentary and ill-conceived outbursts of the New Yorkers for Fair Use and, to my dismay, Richard Stallman, who proved to be as socially awkward as his critics and fans alike report. Perhaps such behavior is entertaining in a Linux User Group meeting or academic debate, but fellow activists hissed at Stallman and the New Yorkers, suggesting that their constant interjections weren't helping.

And indeed, as discussion progressed, I felt that my representatives were not Stallman and NY Fair Use crowd, nor Graham Spencer from DigitalConsumer.org, whose three comments were timid and without impact. No, I found my voice through Rob Reid, Founder and Chairman of Listen.com, whose realistic thinking and positive suggestions were echoed by Johnathan Potter, Executive Director of DiMA, and backed up on the technical front by Tom Patton of Phillips. Reid argued that piracy was simply a reality of the content industry landscape, and that it was the job of content producers and the tech industry to offer consumers something "better than free." "We charge $10 a month for our service, and the competition is beating us by $10 a month. We've got to give customers a better experience than the P2P file-sharing networks," Reid suggested. As the rare individual who gave up piracy when I gave up RIAA music and MPAA movies, opting instead for a legal and consumer-friendly Emusic.com account, I found myself clapping in approval.

Though Jack Valenti proved he could stump with the best good ol' southern gentleman, deriding his intelligence before offering sweeping proclamations, the majority of the discussion was surprisingly consumer-friendly. All in the room, even Valenti, agreed that P2P technology was not inherently bad, but could merely be put to bad uses. Geeks should be happy to know that their voice is being heard by the tech industry: folks from Intel and IBM really seemed to "get it" along with Reid and the aforementioned crowd. There was clear animosity, however, between content providers and the techies. Elizabeth Frazee of AOL Time Warner, for example, was quick to say that "the content industry is looking for government help," and tech industry reps were quick to suggest that we're nowhere near even agreeing on standards or what needs to be enforced, much less imposing legislation. The general sentiment of the tech crowd appeared to be that piracy was a social issue and an everpresent one, and no amount of legislation or technological blocks (your Palladiums and whatnot) would stop it. The solution, the techs seemed to suggest, was competing well in the marketplace and offering consumers a good reason not to pirate content.

The session drew to a close, and a large bearded man in an ill-fitting suit quickly jumped up to say the NY Fair Use people would be giving a press conference of their own out front at 4:30. I followed a reporter from NewsForge to the motley band of activists, who preached largely to their own choir, with the exception of a few youths like myself and the remaining reporters. I confronted Richard Stallman for his thoughts on the "better than free" proposal that Reid had offered, to which he was happy to sermonize on the false construct of intellectual property. I suggested that perhaps artists could, if they so chose, license their music under a GPL-inspired copyleft like the Open Music License, and strike out an independent path, as he did in the software industry. I was informed that musicians needed the record industry for wide exposure, and of the record industry's various artist-related evils. I then inquired about how Stallman felt about downloadable music services like Emusic.com, which place no restrictions on how you use the music you've bought from them, though the music is copyrighted and the artists and labels are compensated. Stallman agreed, after having informed me minutes ago that intellectual property as a concept was bunk, that this sounded pretty reasonable.

I walked away from the afternoon's experiences feeling much more represented by the tech industry, though sympathetic to the activists' desire for more consumer representation in future Workshops. Notably, the EFF was explicitly shut out of this discussion, which is unfortunate; the NY Fair Use crowd, however, never bothered to request a representative, preferring to show up and disrupt the debate on their own terms, and for nobody's good but their egos, it seems. If the tenor of this discussion remains focused towards the marketplace, as the tech industry wants it to, then we as geeks and concerned consumers have little to worry about. However, if the content industry gets its way, we're looking at legislation mandating DRM, which is essentially subsidizing the slowly-failing record and movie industries like we've done with airlines and big steel. Our best hope, I'm surprised at myself to say, is in a Free Market, and not screaming, indignant geeks passing out buttons and shouting down Jack Valenti.

Amazing Quantum Man writes "News.com is reporting on the new Berman-Coble copyright bill. This bill is a two-edged sword. It would make life easier for webcasters, but it would restrict fair use. Interestingly, according to the article, Berman allegedly opposes the bill that has his name on it as a sponsor! I don't think it's on Thomas yet, but Politech has a copy of the bill (2.1M PDF)." The report which the memorandum attached to the bill refers to is online. Congress is making an effort to reconcile traditional copyright law with the realities of digital copying; there's no telling whether the end product will be something tolerable or not.

The Uniform Dispute Resolution Procedure, an expedited process for allowing corporations to steal domain names, continues to be abused as arbitrators stretch the definitions of "cyber-squatting" to any length in order to find for the corporate complainants. Lunenburg writes "Unix.Org, a site that was apparently used for noncommercial discussion of Unix(tm) operating systems, has been ruled a "cybersquatter" by a WIPO panel and given to the X/Open group. In spite of not actually matching any cybersquatting criteria, a WIPO panelist felt that by providing links to commercial sites, Unix.ORG was acting in "bad faith" and thus should be given over to the Open group." And WEFUNK writes "Exploiting an obvious technical error to help build their case, Molson Inc. has been awarded the seemingly generic canadian.biz domain from the original owner who "registered this name because I am Canadian and want to develop a Canadian business directory" and is now appealing to the courts." John Gilmore has a bit of commentary.

ICANN is meeting in Bucharest next week, which means they're floating all their usual smoky-room schemes just prior to the meeting. leto writes "The three RIR's, ARIN, APNIC and RIPE-NCC have just released a joint statement that basically tells ICANN that their Evolution and Reform plan is unacceptable, and tells ICANN to go play elsewhere, and leave the address space in the hands of the well working bodies." An interesting mailing list debate has been going on between ICANN's critics and ICANN's extremely well-paid and extremely sleazy attorney: critic, attorney (sleazy!), critic again, another critic, attorney again, critic's response, still other critics. And finally, note that the .org TLD is up for bids - the New York Times has a story, Newsforge has another.

JCallery writes "CNN is reporting on the plan drawn up by ICANN's restructuring committee after ICANN decided to abandon direct elections." We had a earlier story about the restructuring plan with some notes from one of the board members who attended. ICANN's plan is online and a must-read for anyone interested in internet governance issues. Below, I have some notes about why this restructuring would be terrible idea for regular internet users.

If you've followed the history of ICANN at all, you know that it was originally set up to have substantial representation from the general public (known as At-Large representatives) - 9 of 18 board members. The original unelected board immediately set about undermining that, only electing 5 members and keeping on four "board-squatters" from the original unelected bunch.

The elections of the five At-Large members had two flaws from the point of view of ICANN's unelected board:

1. There were assorted technical issues with the voting process, due apparently to incompetence from the contractor who handled it.
2. Two of the five new board members who were elected did not represent the same corporate interests as the rest of the board.

Of these two flaws, the second was by far the more severe. The board risked losing control of ICANN to people who might run it for the public good rather than for the good of the corporations represented on the board. They started backing away from having any sort of elected representation whatsoever. In February 2002 ICANN President Lynn floated a reform proposal which would eliminate the At-Large representation - or rather, it would keep something called "At-Large", that would no longer be elected by the general public but instead appointed by the Board itself. Instead of the general public picking new ICANN Board members, the ICANN Board would pick new ICANN Board members. This was followed by a vote which confirmed ICANN's commitment to eliminating elected representation.

Now the reform proposal is out. There would be two classes of board members:

• approximately eight ex-officio members (members holding the board seat due to some other title or position they hold)
• approximately five to eleven members picked by a Nominating Committee (the Committee to be chosen by the current Board) and perhaps confirmed by the Board

It is important to note how thoroughly captured this process is. Many of the ex-officio seats accrue from positions that are selected by the ICANN Board. So the ICANN Board picks someone to be chief dogwalker, and the chief dogwalker gets an automatic position on ICANN's Board.

The seats selected by the Nominating Committee are also extremely vulnerable to capture. Let me use a real-life example of how nominating committees work to show what I mean: my credit union.

My credit union has a board structure very similar to the one proposed for ICANN: several ex-officio members, and a number of seats elected by the general populace (everyone who has an account at the credit union). This structure is actually more flexible than that proposed for ICANN, since ICANN does not plan any direct elections at all. However, the credit union membership picks from among candidates selected by a Nominating Committee. Every year or two, I get a ballot in the mail. I can choose from among all the candidates selected by the Nominating Committee, and I can check boxes for the candidates that I prefer, up to the number of open seats available on the Board.

I never return these ballots. Why, you might ask? Because the number of candidates is usually identical to the number of open seats. Three empty seats, three candidates to choose from. Six empty seats, six candidates to choose from. I think one year they might have had more candidates than open seats, but it was an aberration.

This system apparently works well for credit unions: would you believe that they pay interest on my checking account? What it does guarantee is that all future Board members will represent the same biases that are present in the Board at the instant the system was instituted. In my credit union's case, this guarantees "fiscal responsibility" or "fiscal conservatism".

For ICANN, what it would do is institutionalize the biases currently present. Whatever biases are there right now, will be there forever, as the system becomes a self-reinforcing feedback loop with no external controls.

The Board's current biases are toward:

• expanding ICANN's mission from a purely technical body to one that is willing to govern the Internet - taking on assorted social/political issues as it sees fit
• running ICANN for private profit rather than public benefit

Neither of these two traits needs reinforcing. Karl Auerbach, one of ICANN's At-Large directors, has his thoughts on a possible ICANN structure.

MdeGale writes "A tussle for control of the .za domain has sparked the possibility of a blackout for all .za sites. This article in the Independent online reports that Mike Lawrie -- the administrator of the ".za" domain -- would: 'have no alternative but to pull the plug on millions of email addresses and Internet sites if parliament passed the controversial Electronic Communications and Transactions Bill this week.' There is an excellent breakdown of the background situation at Politech. Basically the SA government wants to regulate the domain (and take over administering it). The Bill -- due to be passed this week -- would make this law, without Lawrie's agreement to the redelegation, as per ICANN practice."

daecabhir writes: "I am on Declan McCullough's excellent policy and technology mailing list, and received this article on Declan's Politech web site. Basically, Network Associates now appears to be using the DMCA to force sites that provide access to the "free" versions of PGP to cease and desist, if this is any indication. Unfortunately, I think that Network Associates may well be within their rights with regards to 'their' intellectual property, even if I disagree with the manner in which they are going about things." Update: 05/22 13:55 GMT by T : Looks like this wasn't the whole story, and in fact NAI was only objecting to a site with the commercial version of its software -- read below for more. Grant Bayley writes: "The hype being generated by the "NAI pulls out the DMCA stick" postings and the spectre of PGP being "removed from the Internet" is entirely bogus, and provably so with a little bit of fact checking.

Looking through the Google cache, it becomes very clear very quickly that crypto.radiusnet.net was hosting a copy of the commercial version of the software - not a copy of the PGPi (aka freeware) version of the PGP product. Given that this is the case, NAI is well within their rights to demand the removal of the files.

You can confirm this in the Google Cache.