Slashdot Mirror

ddccss, the Distributed DoubleClick Cookie Snarfing System, now has more than 15 million DoubleClick cookies in its archive.

Also, there's a Fucking Retards Guide to Blocking doubleclick.net.

ddccss, the Distributed DoubleClick Cookie Snarfing System, now has more than 15 million DoubleClick cookies in its archive.

Also, there's a Fucking Retards Guide to Blocking doubleclick.net.

We can definitively end all debate on this subject by using the Tool of Objective Truth, a.k.a. the Sucks-Rules-O-Meter.

Waterworld: sucks 236, rules/rocks 1255
Mission to Mars: sucks 93, rules/rocks 2280
Mars Attacks: sucks 204, rules/rocks 922
Battlefield Earth: sucks 81, rules/rocks 1624
The Matrix: sucks 1294, rules/rocks 6641
Red Planet: sucks 117, rules/rocks 2847

(Note: the terms "Mission to Mars" and "Red Planet" combined with "rocks" may be yielding hits based on actual Martian lithology, not the movies.)

So there you have it, all of these movies rule more than they suck. I don't much agree with these results, but what can I say? This is hard science we're dealing with here; the TOOT does not lie!

Universities are evil proprietary-software-requiring, Linux-banning, too-much-money-charging, free-speech-stomping, bogus-patent-filing bureaucratic Stalinist hellholes anyway.

It's too late for me -- but young hackers, save yourselves! Don't go.

Dan,

Good points and it doesn't need to be done in the browser. It can be done in several different places -- the browser, web proxy, router, name server -- and others linked to from other posts in this thread, like the Microsoft Windows Registry or /etc/hosts. Any one of them works.

Discussions like this one get technical people to block Doubleclick for others -- maybe regular users don't care about privacy, and ISPs won't do anything about it, but you can bet that company sysadmins are paying attention. Confidentiality and paranoia are all in a day's work for them. And considering that many of Doubleclick's client web sites depend on traffic from people who are supposed to be working...well, it's not too long before some of them start dropping Doubleclick. Even if a relatively small number of sites block effectively, the content providers will be increasingly motivated to switch.

And that leaves Doubleclick stock in the shitter, and sysadmins looking from banner site to banner site, saying, "who's going to try it next?"

"No inter-site tracking" will become as much an accepted net business practice as "no spam." Isn't having a villain handy?

You don't need to write a new zonefile. You can use the "db.local" or "named.local" zonefile.

When users are giving up information about your company without knowing it, it's just like any other exploit. Users don't know how to block it so it's up to you. (And we are talking company information here -- unless all they do is look at porn and stock tickers.)

It is your responsibility to block doubleclick.net web tracking, just like it's your responsibility to keep people outside your organization from reading /var/log/maillog.

I've posted this quick-and-dirty way to block doubleclick before, and I'll post it again:
zone "doubleclick.net" {
type master;
file "db.local";
};

See this privacy note for detailed instructions for Red Hat and Debian. With a 5-minute tweak, you can protect the web traffic of everyone who uses your name server. (While you're logged in to the name server anyway, make sure you have the latest BIND.)

Yes, it's better to run a real proxy, or go around to everyone's machine and disable cookies, or do it some other "Right Way." But better to do what you have time for than to not do anything.

Two requests: First, read up on the DMCA cases before you come so you can answer people's questions. Second, be polite and obey the law.

I personally think the Cyber Patrol case is the worst DMCA abuse so far, since Mattel basically used DMCA to censor an article and analysis that was critical of software it wants to install in public libraries. But some of you might be interested in the Slashdot/Microsoft mess or the DVD cases too. Hope to see you all there.

Two requests: First, read up on the DMCA cases before you come so you can answer people's questions. Second, be polite and obey the law.

I personally think the Cyber Patrol case is the worst DMCA abuse so far, since Mattel basically used DMCA to censor an article and analysis that was critical of software it wants to install in public libraries. But some of you might be interested in the Slashdot/Microsoft mess or the DVD cases too. Hope to see you all there.

System administrators are responsible for protecting user security even if users don't understand the security threat. For example, we don't let users read each other's mail, even if they want to.

Part of protecting user security is blocking the worst, most intrusive web tracking. See this 5-minute privacy tweak to disable doubleclick.net tracking for your entire site, and this article for more good reasons why.

Perhaps you meant the completed "Great International DVD Source Code Distribution Contest"

I like slashdot and I spend a lot of time here, too much! :) One of the ideas I've played with, but lack the skills to implement is a kind of summary or synopsis of the slashdot comments on a story by story basis, and then on a theme by theme basis.

I figure this could be done initially and crudely using simple word count searches: index all words (skipping "the,and,a" etc.)in a forum and build a histogram. This by itself would be only so-so interesting, but if you expand it to include immediately adjacent words it gets more interesting. Think of a more developed and refined Operating System Sucks-Rules-O-Meter. And then two neighbouring words, etc.

Why is this interesting? Because it would be the closest thing to describing what the slashdot community as whole thinks. The meta-slashdot would be a sort of ongoing ballot or poll.

Although I've only mentioned Slashdot, there's no reason the same technique couldn't be brought to bear on any discussion group.

-matt

I'd post these comments on PDJ, but we're currently swamped with slashdot hits, so I figgered I'd do it here:

1. Yes, it's silly. Yes, it's a joke. But humor is one of the biggest assets of the freedom-loving community. Let's use it wisely.
2. Wide distribution of DeCSS *may* be a minor nuisance for "good" people looking for DeCSS. Note, however, that the DVD-CCA has done much, MUCH worse damage by shutting down sites with DeCSS and sites that link to sites with DeCSS. The problem of having to sift through false DeCSS's is a drop in the bucket by comparison.
3. Also remember that someone who's looking for DeCSS just to use it only needs to find *one* copy. Even if they get a few false positives, they will eventually find a real one. However, someone with a legal agenda will be looking for ALL copies. Having thousands of decoys will make their hunt much more difficult.
4. If you're really worried about making it easier for "good" people to find DeCSS, mirror it! Or at least link to the excellent meta-site at dvd-copy.com.
5. Someone smart will be able to find the "real" DeCSS using file sizes and hashes. Fine! Let's make them work harder. Also, the person who does that coding (they'll probably use Free Software like perl to get it done) should think long and hard about it. Shame on geeks who sell out their brothers to The Man!
6. I do not weep for Jack Valenti and the MPAA. They already mentioned the DeCSS Distribution Contest in legal filings. I'm sorry if we're making it hard to sue the Internet. Maybe the next industry cartel with this idea will think twice about it.
7. If you can't get into Pigdog Journal, try one of these mirror sites:
   • Crackmonkey
   • Cryptome
   • Pottymouth
   • ZGP

I'd post these comments on PDJ, but we're currently swamped with slashdot hits, so I figgered I'd do it here:

1. Yes, it's silly. Yes, it's a joke. But humor is one of the biggest assets of the freedom-loving community. Let's use it wisely.
2. Wide distribution of DeCSS *may* be a minor nuisance for "good" people looking for DeCSS. Note, however, that the DVD-CCA has done much, MUCH worse damage by shutting down sites with DeCSS and sites that link to sites with DeCSS. The problem of having to sift through false DeCSS's is a drop in the bucket by comparison.
3. Also remember that someone who's looking for DeCSS just to use it only needs to find *one* copy. Even if they get a few false positives, they will eventually find a real one. However, someone with a legal agenda will be looking for ALL copies. Having thousands of decoys will make their hunt much more difficult.
4. If you're really worried about making it easier for "good" people to find DeCSS, mirror it! Or at least link to the excellent meta-site at dvd-copy.com.
5. Someone smart will be able to find the "real" DeCSS using file sizes and hashes. Fine! Let's make them work harder. Also, the person who does that coding (they'll probably use Free Software like perl to get it done) should think long and hard about it. Shame on geeks who sell out their brothers to The Man!
6. I do not weep for Jack Valenti and the MPAA. They already mentioned the DeCSS Distribution Contest in legal filings. I'm sorry if we're making it hard to sue the Internet. Maybe the next industry cartel with this idea will think twice about it.
7. If you can't get into Pigdog Journal, try one of these mirror sites:
   • Crackmonkey
   • Cryptome
   • Pottymouth
   • ZGP

Under Kaplan's definition of "DeCSS", he mentioned the Distribution Contest from awhile back. He also mentions that the winner of the contest was awarded with "copies of DVD's". EXCUSE ME? This gives the impression that a group of hacker kids gave away burned copies of DVD's as prizes - not true, AFAIK. Especially since Eric Raymond was one of the judges.

Why hasn't the news hit Slashdot that Linus Torvalds blasted the DVD CCA in his LinuxWorld keynote yesterday? Linuxtoday.org has been carrying the news all day; I'm surprised it hasn't made it here.

The Word 97 and RTF versions of the Stevenson whitepaper are now online. You can grab them at this site.

Defendent #46

I don't know about greatest hack, but this should get a honourable mention on the DVD source code distribution contest page

Shame the contest is closed. It would have been great to send a DVD to the Judge as a prize.

Today, the DVD Copy Control Association and the EFF once again met in court, this time to argue for and against the ordering of a Preliminary Injunction against, basically, the entire Internet, forbidding further dissemination of DeCSS, the source code module that decrypts DVD MPEG streams. After today's hearing, there should be no doubt in anyone's mind that shrinkwrap license "agreements" are monsterously unethical and should on no account be allowed to stand.

It is worth noting up front that I am an adamant, vociferous opponent of these so-called "agreements", so I hope the reader will excuse some editorial bias. (Individuals interested in my editorial on the subject can find it here.) Also, events in court did not occur strictly in the order I will present; I will be grouping together related concepts to make them easier to compare.

Court began promptly at 13:30, and counsel for plaintiff and defendant introduced themselves (the names went by too quickly for me to get most of them). Judge Elfving indicated that he would not render his decision today, but would rather consider the arguments and filings before him and render a decision at a future time. He was unwilling to commit to a specific date, but indicated that it would not be overlong. Judge Elfving then invited plaintiff's counsel to present their argument.

Jeffrey Kessler began his argument with the following question: Can a user extract trade secrets in violation of a shrinkwrap agreement? A lot of other arguments were presented, but it seemed to me that the DVD CCA's entire case proceeds from this single precept.

In order to prevail in a trade secret violation, the plaintiff must show:

• That a trade secret exists. Trade secrets must posess information, must derive value from their secrecy, and that the secret's owner must employ reasonable measures to protect that secret.
• The secret was misappropriated. CCA argues that "improper means" were employed to create DeCSS.

CCA's contention is that the reverse engineering employed to discover the CSS algorithm was prohibited by Xing's shrinkwrap license "agreement". (Kessler reiterated this point with some force throughout the proceeding.) Since the reverse engineering violated this contract provision, the algorithm discovered within was improperly obtained due to breach of contract, and is therefore a trade secret violation. DVD CCA therefore argues that they are entitled to a Preliminary Injuction forbidding further dissemination.

Kessler went to a lot of trouble establishing that the original source of DeCSS was Xing's player. An expert's affadivit asserts that the original DeCSS release contained only Xing's key, suggesting that it was the Xing player that had been reverse engineered. Presumably, by establishing Xing to be the original source, they can invoke Xing's "license" that prohibits inspection.

Kessler made the assertion that, even if the "clickwrap" license had somehow been avoided, it still applies and is in force, since the license stipulates that assent to the contract is made, not by clicking on "OK", but by installing and using the software.

Kessler also seemed to go to some lengths to attempt to establish when DeCSS made its first appearance, which appears to have been the binary-only release on 6 October, 1999 from the group M.O.R.E. (Masters Of Reverse Engineering). Subsequent to that, Stevenson's work (where he attacks the hash rather than the keys) appeared around 25 October, 1999. I presume he did this in an attempt to establish that any release subsequent to these dates "must" have come from the "improperly obtained" algorithms.

DVD CCA cited several court cases supporting their petition for a Preliminary Injuction, which were granted forbidding further dissemination of materials under dispute (notably, the Religious Technology Center (Scientology) vs. Netcom). Kessler further asserted that no court case has ever held reverse engineering to be proper.

Kessler also cited the recently effected Digital Millennium Copyright Act which, as a matter of "public policy", forbids reverse engineering. However, he went on to state that DVD CCA is not bringing suit under the DMCA; they are bringing suit under the Uniform Trade Secrets Act.

The plaintiffs also asserted that the "hacker community" clearly knew that DeCSS was obtained improperly, and proceeded to quote from postings in Slashdot discussion fora made back in July where random people opined that a DVD player for Linux might not be legal to develop. (There were no in-court mentions of Natalie Portman or hot grits.) Kessler asserts that this public discussion validates their claim that the defendants "should have known" DeCSS is illegal.

The plaintiff also stated that the fact people may have been trying to develop a DVD player for Linux is entirely beside the point. Moreover, he stated that DVD CCA was not discriminating against Linux, that they were more than willing to license CSS to any "credible party" who wanted to develop a DVD player.

Finally -- and I think this is fairly significant -- DVD CCA made the observation that, if this were a copyright case, there might be a provision for reverse engineering under the Fair Use doctrine. However, there is no such provision in Trade Secret law, and the reverse engineering is therefore improper.

Kessler then turned the floor over to Robert Sugarman, who proceeded to disparage the EFF's First Amendment arguments. He repudiated the assertion that the defendants were news sources, and that they should not be accorded the protections available to newspapers. He asserted that the defendants are doing much more than engaging in First Amendment-protected discussion on this issue.

He repudiated EFF's citation of the Bernstein case. Copyright was at issue in Bernstein; this is a Trade Secret issue.

He also likened the obtaining of the DeCSS algorithm to breaking into Coca Cola's inner sanctum and stealing a copy of their secret formula. (In fact, the analogy of Coke's secret formula figured prominently in the plaintiff's arguments.)

Then he dropped a small bomb and stated outright, in open court, that they seek to enjoin not only hosting of the DeCSS code, but links to the DeCSS code. He asserted that, because links provide "instant access" to the disputed material, they should be forbidden as well.

He attempted to discredit the Open Source (nee "Hacker") community's motives by bringing to the court's attention the DeCSS Distribution Contest, and Copyleft's new DeCSS t-shirts, painting it as juvenile and irresponsible.

For some reason, he also called attention to the recent cracking of PacBell's ISP accounts, and CDUniverse's credit card database. Presumably, he was trying to associate the criminal activities of these individuals with the activities of the defendants in the case, both of which "clearly" demand decisive action from the court.

Finally, Mr. Sugarman asserted that, if a Preliminary Injunction is not granted, the message it will send is:

• Theft of trade secrets is OK,
• IP law is no longer viable,
• It is "not safe" to publish in digital media.

These remarks by the plaintiff's counsel consumed about an hour and a half. Judge Elfving called a 15 minute recess, after which counsel for the defense began.

The first guy (whose name I did not catch) seemed to rely more on bombast and specious details than on concrete questions of ethics and law. Nevertheless, he did raise some interesting points.

The Scientology case was raised again, this time to point out that the Preliminary Injunction granted and affirmed in that case applied only to one person, not to the entire Internet. He went on to cite the cases of Sega vs. Accolade and Vault vs. Quaid, cases in which reverse engineering was upheld as permissible.

He asserted there was only one real defendant in this case, the one who allegedly did the "dirty deed": Mr. Johansen of Norway who originally developed and published DeCSS. If there is indeed a legitimate action that can be taken, it is solely against this individual.

He turned the plaintiff's Coca Cola analogy on its head by stating that one could buy a can of Coke, take it to a chemical analysis lab, figure out what it was made of, and publish the results. Such an act would be entirely proper under the Trade Secret Act under which DVD CCA is suing.

The defense also argued that trade secret law is a "relational tort," enabling an action of one party against another. It does not protect the secret itself.

He asked, "Where is Xing in this case?" If, as submitted, DVD CCA's license requires licensees to take reasonable measures to protect their trade secrets, then Xing has clearly failed in this obligation. Further, he asserted the DVD CCA does not provide code itself, but expects the individual licensees to develop compliant code. Therefore, any misappropriated technology belongs to Xing, not to DVD CCA.

Finally, he made a highly dubious assertion that there was no evidence submitted to establish that DVD CCA were the legitimately assigned licensors of CSS (which has been developed by Matsushita and Toshiba), and therefore were not empowered to bring this action. (This was readily debunked by the plaintiff during rebuttal.)

After he finished, Eben Moglen, Professor of Law from Columbia Law School took over. I don't think I overstate the issue when I say this guy absolutely kicked ass. Besides being a good orator, the man clearly understands technology as well as law. He's written a treatise on the issues of intellectual property in the digital age entitled Anarchism Triumphant: Free Software and the Death of Copyright.

Mr. Moglen basically proceeded to shred the plaintiff's arguments. He pointed out that DeCSS has nothing to do with wholesale copying; DVDs may be bit-for-bit duplicated and will play in any player without the use of DeCSS. He debunked the assertion of "irreparable harm" to the movie industry by doing some basic bandwidth math showing that downloading a 5.1 gigabyte movie will take you 30 hours (DSL speeds), and if you have a direct backbone connection, it'll take ten hours. Wholesale copying of movies in this manner is therefore not a realistic concern.

He raised the plaintiff's assertion that, while it may not be economically viable to copy movies today, these technologies will become cheaper and more available in the future. However, such theoretical future damages are not at issue; the court need only concern itself with what is happening now.

Mr. Moglen went on to describe CSS as extremely weak, and outlined Stevenson's novel attack against the cipher, which involves attacking the hash value to reconstruct the "title key" by which the MPEG stream may be decoded. In such a case, none of DVD CCA's keys are employed. The title key for any disc can be cracked on a Pentium-III in about 18 seconds. He drove home CSS's weakness by mentioning that Mr. Johansen of Norway is 15 years of age. Thus, the trade secret at issue must not have have been very secret, as it was literally child's play to discover it.

With all this, Moglen asserted that no cause of action remains because no trade secret remains. The "secret" in question was obtained by legitimate means, and Stevenson's subsequent work illustrates that none of DVD CCA's alleged secrets need be involved in decrypting a DVD. Had the DVD CCA acted more swiftly in restraining Mr. Johansen, they might have a cause for action. As it is, they've waited too long.

When he concluded, Moglen received light applause from the gallery as Judge Elfving asked for rebuttal from the plaintiffs.

Mr. Kessler assailed the work of Stevenson, saying that it proceeded from the improper DeCSS code by Johansen. Therefore, Stevenson's work, though novel, is "contaminated" by Johansen's alleged breach of the Xing "license", and the trade secret is still protected.

He argued against defense assertions that no license was in force, saying basically, "Yes, there was!" He attacked EFF's citation of the Sega case, stating that it was a copyright case, and that reverse engineering was held to be proper under Fair Use. This is a trade secret issue.

However, he went on to call attention to the DMCA again, stating that, as a matter of "public policy", reverse engineering is held to be improper. Then he flips again, and says they're not citing DMCA, only the Uniform Trade Secrets Act (which has no provisions for fair use).

Finally, the floor was turned over to Mr. Sugarman who (under pressure of time) characterized Professor Moglen's arguments as entertaining but irrelevant. All DVD CCA seeks, says Sugarman, is to take down the DeCSS code and all links to the DeCSS code. They are not seeking damages, nor are they seeking to quash discussion of the merits of the algorithm; only the trade secret itself.

Judge Elfving then thanked counsels, said there was a lot to think about, and would render his decision as soon as possible. Court was then adjourned at around 16:50.

My Analysis and Opinion:

We may readily concede that CSS was a trade secret, developed in secret, and made available under a comprehensive contract that obligated licensees to maintain the secrecy of the techniques used. It also seems fairly certain that the initial cracking of the CSS involved taking apart the Xing player and seeing how it worked. In order for this action to be a trade secret violation, Johansen's disassembly would have to be an improper use.

In order for it to have been improper, Johansen would have to be laboring under an obligation to maintain the secrecy of the Xing code and the CSS algorithm. The DVD CCA asserts that this obligation existed in the form of the shrinkwrap "agreement" which restricted, among other things, reverse engineering. So the DVD CCA's entire case hinges on whether shrinkwrap "licenses" are enforceable.

Let us put aside the fact that Johansen is Norwegian, where different laws and standards apply; and let us also put aside the fact that he is a minor, who likely can't be bound to contracts without parental consent (again, Norwegian law may differ on this point). Let us concentrate instead on this contract that, by the most tenuous forms of assent, may be considered in force and remove from the licensee a litany of valuable rights, including reverse engineering.

As I stated earlier, it is my adamant position that such documents are pure fiction; that they are not and should not be taken seriously. These instruments have little basis in law, and no basis whatsoever in simple ethics. They run counter to the real and reasonable expectations of consumers when they purchase software; that a sale has taken place, and they hold title to that particular copy of the software, subject to copyright restrictions. The "agreements" seek to alter the terms of the sale after the fact.

Further, these contracts attempt to escape vendors from the provisions of consumer protection laws, "lemon" laws, and remove from consumers their rights under Fair Use provisions of copyright law and, in some cases, the First Amendment (by forbidding discussion of benchmarks). And all one needs to do to assent to such onerous conditions is to, "install and use the software."

If A.H.Robins had attached such a license to its Dalkon Sheild, would it have been upheld? Would thousands of women around the country have found themselves unable to seek damages because they had "agreed" to hold A.H.Robins harmless? If Black&Decker attached such a license to its power saws saying you could only use Black&Decker saw blades, could it be enforced? We might concede they could cancel the warranty, but could they sue you for breach of contract, as DVD CCA has done over CSS?

Even if we were to presume such licenses are enforceable, how could they be said to apply to minors, who cannot be bound to contracts without parental consent? Must we then require that computer stores not sell software of any kind to anyone under age 18?

The idea is worse than ludicrous, it is offensive. No credible argument can be brought to bear that shrinkwrap licenses have any constructive use or benefit -- for consumers or publishers -- much less any foundation in ethics and basic human decency.

Some suggest that the "parade of horribles" that shrinkwraps enable has not happened, and is not likely to happen. I submit that a California corporation seeking a broad injunction, reaching beyond the borders of the state and even the country, to constrain domestic and foreign nationals from engaging in legitimate, ethical behavior to be a "horrible" that even the most paranoid among us could not have anticipated. There can be no further doubt that shrinkwrap licenses are a big, fat, ugly problem, and must not under any circumstances be allowed to stand.

Those who might suggest the GPL is weakened by such a position need not worry. While most commercial software "licenses" purport to constrain use, the GPL constrains copying. Absent a license of any kind, you still have the right to use your lawfully obtained software. You would not, however, have the right to make and distribute copies; the default conditions of copyright law apply. (This is true even if you're a minor.) Right to Use is concomitant with purchase; right to copy is not.

It is difficult to predict how the Judge will rule. Unlike the TRO hearing, the plaintiff was very well prepared. Both sides presented their arguments well. Judge Elfving stated that he wishes to be thorough, and will doubtless spend a good deal of effort considering the arguments. Still, both sides were articulate, and it will depend on who Judge Elfving chooses to believe, so the decision could go either way. Cross your fingers...

Schwab

BTW, there's more to this message than meets the eye. :)

GIFs are evil anyway.

In fact, with a slightly modified version of the Operating Systems Sucks-Rules-O-Meter, I found 2 websites that contained "Slashdot rules," while none for "Segfault rules". There were no websites with the phrases "Slashdot sucks" or "Segfault sucks," however.

Interesting, huh?

:-)

WIth an even more exciting methodology, the OS Sucks/Rules-o-meter uses highly refined mass survey techniques to survey the relative merits of different Operating Systems!

Translation: search Alta Vista for "Linux sucks", "Windows rules" etc., and graph the results.

Dave

--

Ignore Mindcraft, concentrate on the customer.