Slashdot Mirror
Developing Subversive Software?
e_lehman asks: "Software development is increasingly subject to corporate legal harassment. Suppose I want to write a program that I know corporate America won't like without being sued or arrested. How do I covertly find collaborators? How do I distribute the code? How can I distribute patches? How can I get user feedback and contributions? How can I prevent someone with a lot of resources from tracking me down? Producing "subversive software" must appeal to a lot of frustrated Slashdotters these days. How would you really go about it?"
"Examples of the problem are familiar: development of DeCSS brought police to Jon Johansen's home (Interestingly, Jon's two collaborators remain safely anonymous). Distribution of DeCSS brought onerous MPAA litigation down on 2600 and others. Development of CPHack landed Matthew Skala and Eddy Jansson with a suit from Mattel. Distribution of a driver for a barcode reader has put Michael Rothwell under legal duress. Openly defying corporate bullying is important, but grueling. Coding shouldn't always risk martyrdom.
Here are some stray ideas and questions in this vein:
- A program could be introduced to the net via a public access terminal. How common are these? Where are they? Is it easy to upload code? How do you then anonymously publicize your program?
- Code could initially be distributed in encrypted form with its function only loosely described. Lawyers would have no solid target until the key was released, which could happen once that cat was safely out of the bag-- say, after a hundred downloads.
- Do compilers slip information into binaries that could be used to identify the author? For example, do MS compilers sneak a registration number in there somewhere?
- Version 1.0 could include a cryptographic hash of a text message included in version 1.1, version 1.1 could inclue a hash of a message appearing in 1.2, and so on. This would let users know that that a newly posted version was indeed from the original authors, without identifying those authors.
- Gnutella and Freenet are obvious distribution models. But surely RIAA and the MPAA are scrutinizing them for vulnerability to legal bombardment. Will they really hold up? A sort of free-for-all model worked for distributing DeCSS; could that work routinely?
How would you go about developing, distributing, and maintaining 'subversive software'?"
I can see the charge now: "Conspiracy to Do Something"
I don't know about how the BBS scene is these days, but up until when I closed my own board, most BBSes didn't keep very detailed logs. To provide an example, I had nothing more than when the last time a user logged in was and who were the previous five callers. Nothing whatsoever about who uploaded what file.
Don't the groups that actually put out "warez" still use an elaborate BBS-based scheme before it gets onto the internet in general?
--
If a tree falls on an anonymous coward yelling 'first post' in the forest, does anybody hear?
Are these "divide and conquer" tactics working? Well, they are altering YOUR methods already. If they didn't work, you wouldn't have to ask your question.
Perhaps this is a question you should take up with the EFF or some other such body. They could use as much help as you can give.
bm :)-~
US Democracy:The best person for the job (among These pre-selected choices...)
I have taken, and prefer the high road. Hiding, will give the enemy amunition that you are hiding, therefore knowing it's wrong.
If you do something with the belief that you are right, then stand up for what you believe. It's not easy, but large corporations can be fought and you can win. Though some will refer to you as a crackpot.
If you go "underground" anyone who knows, can always surrender your name. You can always submit it to a rogue server from a cash paid public terminal. Use the Gnu or Watcom compiler to make sure that there is no embedded identification code in the executable.
Fight Spammers!
This question sounds a little fishy to me. Maybe it's just my personal opinion, but we aren't ready to go underground yet, are we? For one thing, that would eliminate any sympathy that we might have from the mainstream (it's hard to imagine the public rallying behind a group of anonymous hackers.) Furthermore, our legal system will never change if we simply circumvent it. It's not designed to work that way. Without any (openly) dissenting voices, only the opponents of free speech will be heard. Hiding only reinforces the picture that the government has successfully been painting, of a tiny group of immature hooligans who pay lip-service to "free speech," but really just want to cause trouble.
I'm sure you all think I'm naive, and I'm underestimating the damage that a lawsuit can do, but it strikes me as incredibly cowardly to do otherwise. Personally, I've sent copies of the musical version of DeCSS (a link would be helpful here) to all my friends, so that they can play it on their radio shows. None of them have blinked. Like most "broadcasters" (including authors), they know that because of their position, it is their duty to be the first line of defense against the thought police.
(Aside: Why do all my friends have radio shows? Do hand them out at concerts or something? I want a radio show!)
MSK
Anyone with enough resources will be able to track you down. Big corps usually have good private investigators on the payroll - these guys don't have to play by the rules like the cops/feds do. You can take some steps to make things considerably more difficult, however.
Use a *good* anonymous remailer in a country other than your own. If possible, use several remailers in several different countries. Distribute your software through Freenet and encourage users to set up mirrors. Use encryption software, such as GNUPG.
These suggestions are perfectly legal ways to obfuscate your identity. This is good because if you are caught, there won't be a lot of "enhancement" charges thrown at you (like getting caught with a few grams of pot, a small scale, and a (legal) gun). Depending on exactly how "subversive" this software is, you may decide it's worth breaking a few more laws to reduce your chances of getting caught.
Hi!
I think you have to decide what you want to do:
If you want to run an Open Source project, hey, that's great. But by its very nature Open Source is open--the very opposite of clandestine. If you're going to write clandestine software you need to maintain an absolutely closed development group--you simply cannot tell the world the names and addresses of all the members in your cadre of 3l33t haX0r d00dz.
Corporations? You're Aiming Too Low
DeCSS may scare the (few remaining) wits out of the MPAA--but ultimately the MPAA is just a trade organization dedicated to staging an awards ceremony. If you really want to have a little excitement, consider doing something really subversive. Say, develop Arabic-language courseware targeted at girls (particularly Afghan girls). Or Bible-club software in modernized Chinese.
I have been involved, in years past, with an ad hoc operation that smuggled Bibles and other Christian books into countries where they were (and in several cases still are) considered contraband. The operation was relatively small--because we had limited funds, and because we depended upon people in-country to handle distribution. Our funds were limited by our need for security--if we'd broadcast to the world that we were smuggling Bibles to women in the Persian Gulf the locals might have caught on. Or worse, caught our contact in-country. Security is paramount.
That said, yes--Microsoft compilers do point to unique identifiers in things like class IDs. A necessary part of the COM interface requires a globally-unique identifier--that identifier of necessity points to your machine. That doesn't make it easy to find your machine--it only means that once the authorities get to your door they can prove that a particular class or DLL was originally compiled there. (That is, it was compiled there first--subsequent compiles on other machines won't change the class IDs, so those later builds will still point to your machine.)
Do you know that the phone company has a log of all phone calls going through its system ???
:bbs_number;
This way a small BBS will be "decrypted" immediately; FBI just needs to run a query like:
SELECT DISTINCT originating_number
FROM all_phone_calls
WHERE target_phone_number =
against the phone company's data warehouse.
Tigers respect lions, elephants and hippos. Maggots respect no one. (C) S. Dovlatov
"Martyrdom"? Sometimes the preposterous, self-righteous bs here on Slashdot gets so deep I feel like putting on my rubber boots.
So you want to do some noble "power to the people" project that "corporate America won't like". Well, two things come to mind. One possibility is that you want to create something wonderful, like an extraordinary browser (Mozilla), or a whole operating system (Linux), or any number of other superb products that legitimately compete ferociously with products of "corporate America" like IE, Solaris, Oracle, etc. If that's the case, then the number of ways you could contribute to the world is virtually limitless, and you don't need to sneak around to do it. "Corporate America" calls it "competition", and it goes on above ground, in the light of day.
The other possibility is that instead of creating something of value yourself, you feel an adolescent urge to be a big hero to other adolescents by finding ways of stealing things of value created by others. You have some cartoonish image of "corporate America" as The Evil Empire from Star Wars, and you're some noble code Jedi with a compiler for a light saber. I suspect you're in this camp. I'm mistaken, then these comments apply to those who are, but not to you.
"Corporate America", in reality, isn't one entity, and it isn't even American. It is the majority of working people in the developed world and the relatively consistent conventions they've established for cooperating as groups and individuals to convert the hours of their lives into things of value, which they then trade with other groups and individuals. It is also the relatively consistent conventions they've established to prevent people and groups from stealing from one another, forcing them to have to produce things of value themselves that can be used in voluntary trades. That increases the pot of goods and services rather than just shifting them around.
There are plenty of areas in commerce where reasonable people of good will legitimately disagree on areas of legal policy. There are also countless inequities and inefficiencies in a system that still requires human lawyers to argue the edge cases. Those with the biggest legal budgets tend to win more than their fair share of edge cases.
Unfortunately, there are also a lot of people who think it's their right to steal anything that they can get away with stealing. They frequently point to the inequities of the system as a rationalization for their base desire to simply steal something rather than trading for it.
Instead of pouring your energies into finding ways to steal from your neighbors, whom you refer to as "Corporate America" to make it sound noble, why don't you find a charity that can't afford to pay for "enterprise software" and build something for them from open source components?
Or why don't you find a way to extend the features of some open-source system to cover the needs of a group that doesn't yet have the necessary level of computer literacy to do it for themselves?
Or why don't you go out and create music or great films or whatever, and then give away what you've traded the hours of your life to produce, instead of trying to give away the hours of other peoples' lives?
"Those who have never entered upon scientific pursuits know not a tithe of the poetry by which they are surrounded."
1) E-mail
Setup a nym account with one or more of various nym servers out there:
nym.alias.net
redneck.gacracker.org
OR, you can get a paid for nym account with ZKS:
ZKS Freedom Net (They are taking applicants to beta test their Linux port now)
This takes care of having an anonymous bi-direction e-mail account that people can contact you through and will be secure from the attacks of a determined foe (be sure to change your reply blocks often though).
2) Publish the code somewhere publicly available, like the web or usenet.
The next problem is distributing your code. What you need is a means to publish the code anonymously.
Web
To contact sites like sourceforge anonymously, which provide you with a nice mechanism for releasing the code and storing it somewhere, you need a web anonymizer or an anonymous routing scheme like ZKS.
Several solutions exist to do this. In order of highest security:
ZKS Freedom Net
CROWDS
Anonymizer
Usenet:
Usenet is means of publishing your code that is even more resistant to censorship attacks than publishing the code on a website:
mail2news gateways. These allow you to post an e-mail message to usenet, preferably after you have anonymized it thru several remailers. Posting to usenet is an EXCELLENT mechanism for getting past the most determined censor. As long as you don't start spamming your distribution, and thereby driving your BI up, you can be pretty sure that your post will not get robo-canceled. If you want to be really fancy, you can encrypt the message, publish the password in another forum, and then post the conventionally encrypted message to aalt.anonymous.messages. This will defeat efforts to automatically find your post on usenet and then issue a third party cancel for it.
Here is a list of known mail2news gateways:
mail2news AT nym.alias.net
mail2news AT zedz.net
mail2news AT mixmaster.shinn.net
Send a message to one of the above e-mail addresses with "help" in the subject for instructions on how to use the gateways.
Python
Python
I think the balance of power is seriously shifted in favor of corporations. It's not just a question of "stealing" copyrighted material, it's also about the customer's right to use that material in reasonable ways. Even though I don't agree with the use of Napster to perform large-scale free distribution of copyrighted work, I think things like Napster and DeCSS are important in order to reach some kind of acceptable balance on these issues, and ultimately to declaw UCITA, DMCA et al.
My own answer has been along these lines- I will create to the best of my ability and use the legal system to defend the interests of the people I'm creating for. That's sometimes meant GPLing software, when I could- my software is frankly not world-class, it's not really my area of expertise- and now it's beginning to mean that I must put together not only my recording studio, but also CD mastering and duplication, and even hosting for free audio. The studio's done and quite functional- CD mastering and even Video CD mastering is dead simple- duplication's going to cost me some serious money, I'll be taking out a bank loan when I have my ADAT paid off to get a duplicator- and hosting is beyond _my_ reach though I need it desperately.
All this is needed because I can't trust the commercial sector to handle it for me. The breakdown goes like this:
- Studio: the $75 an hour I'm asking is actually very low for a studio. This part is pretty straightforward- studios are service oriented and it's more a financial question than anything else.
- Mastering: mastering houses charge a _lot_ of money for what they do- the gist of it is that you can't seriously tailor the frequency range and soundstage of your CD while listening over pathetic little nearfield monitors. The need for an extra pair of ears on the project is somewhat counterbalanced by the fact that these days, mastering houses are increasingly forced to brutally compress their results until average levels are about 1 db down from peak. This sounds appalling but is louder than the competing songs on the radio
;P
- Duplication: currently having a burner will do- one nice thing about being a geek is ability to track down things like Mitsui CD-R media with process color surface-prints: it can cost six times what you can find cheap media for, and maybe twenty times what commercial CD materials cost, but archival quality is substantially better and honestly, there is a place for a quality argument. The point at which the commercial product is cheap crap at premium prices is the point at which the quality argument at reasonable prices starts to substantially work. The trick is you have to make all aspects _look_ professional- hence the process color media print, at 400 dpi carefully color corrected (the guy who does the CD printing called this 'overkill', to which I replied 'good!'
;) ) When things develop to the point that I need more duplication, it will be time to talk to my bank about the next bank loan- currently I'm paying one off for my 20-bit ADAT studio recorder, it seems reasonable to think in terms of another to get a serious CD duplicator. I'm also excited about the possibilities of producing Video CDs- which can be played in DVD players. Hooray, an accessible format for short video that can piggyback on the leverage of the stinkin' MPAA! I may get a DVD player just to test my VideoCDs on :)
- Hosting: This is the killer. I don't have any way to offer _this_. I have done some research, however, into what needs to be out there.
This last one is the hardest one, and I'm not sure how to address it- and this post is about how I'm trying to address each issue personally instead of announcing that 'someone should' do this stuffBasically, I see a pressing need for just plain media hosting on a massive scale. It could well be restricted to mp3 and ogg vorbis (hell, include wma). It could also be restricted to 128K on two assumptions: one, it'll be important to not have everyone doing 320K and using up two and a half times the resources for their stuff, and two, it's low enough quality to justify being giveaway stuff and high enough to basically enjoy. It will not pay musicians one cent for the downloads- on the other hand it will not _charge_ musicians a cent for the hosting. Most importantly, it will have a usage agreement that protects both parties, asks only nonexclusive rights to host the material, claims no copyrights to the material, and requires any contract changes to be explicitly signed off on by the artist. (This last one is the main thing mp3.com just lost in their contract alteration).
Instead of instantly planning to fund the thing off ad banners (aren't we all sick of that by now?) I propose the hosting service be incorporated... as a 501c3 nonprofit corporation. This is a VERY IMPORTANT point for protecting artist rights in the current climate. The 501c3 must have an explicitly spelled out mission statement that it must abide by to maintain its nonprofit status. It can seek grants- it could even solicit money from the RIAA labels, 'leeching' off them to provide its services in perfect safety. It can pay server operators a relatively decent salary for doing their jobs- you wouldn't have to go hunting for MCSEs, you could spec out a proper high-load server farm and pay to have it run properly, nonprofit doesn't mean it can't pay employees a normal wage. Finally and most importantly, a 501c3 answers to the IRS and has to follow certain rules or cease to exist. It CANNOT be bought out, either in a takeover or a merger, by a commercial corporation. It can only be bought/merged with another 501c3- and for this to happen both 501c3s must have essentially (literally?) the SAME mission statement, not differing ones- and it is so hard to change a 501c3's mission statement that you might as well disband it and start a new one. And when you disband a 501c3, all assets it has must be distributed to OTHER 501c3s covering the same basic area.
When you look closely at these things (I have a friend who is expert at framing charters for 501c3s and knows all about them and has a terrific batting average for his 501c3 proposals being approved), it's amazing- almost GPL-like- it's a form of legal incorporation that uses the meanest parts of the US government (the IRS!) to protect you against rampant corporate abuses. If you are a 501c3 no commercial corporation can touch you- they can give you money for a tax break, and that's about it. They can't buy you out. They can't shut you down- even if they for some reason got totally Mafialike and pressured all your boardmembers to disband the corporation, your resources simply get distributed to other 501c3s doing the SAME JOB. It's like the liquid metal Terminator- no amount of force can destroy you! All watched over by the IRS with gimlet eyes. You don't have to vigilantly guard against, say, major labels subverting you and making you a profit-earning subsidary. The IRS will vigilantly guard against that :)
I'm not sure what the software sphere would need in terms of a 501c3 to develop ideas that need to remain free of corporate control. I do know the needs of my own sphere- music, media in general, video as that becomes a factor. The music sphere needs free hosting because a musician who's even slightly prolific will rapidly exceed the bounds of any personal site or typical hosting service, and it seems like most/all of the music/mp3 hosting services on the net are RIAA label controlled or copying their contractual provisions.
In order for musicians to be able to function outside the confines of RIAA ownership, they need to have the ability to own the means of production (easy: CD burners and duplicators and Internet sales) and the ability to circulate music to people who don't know the music yet. It really isn't necessary to have one recognizable site for people to _browse_ from (mp3.com is full of bands who've never been listened to- I always got most listens from mentioning what I do on Slashdot), but it is necessary to have a site with acceptable policies/contracts which won't need to be changed or moved. Wherever it is, there needs to be a fair amount of stability so that the musician can distribute CDs, posters, handouts with the URL on it. Because of mp3.com's change of contract, I have posters, CDs out there, even 24 cassette tapes that haven't even been _recorded_ yet, all with the mp3.com addy on them, which is now obsolete.
The common factor here is that it's all about giving _my_ material a base of operations that's not easily destroyable by corporate interests. I'm not attempting to, say, sample RIAA label acts and use their music as part of my composition. I am not negativland ;)
A very good question would be, how important is it to pursue development on IP that corporations have claimed as their own, and how important is it to defend IP that is actually original? Most of my response has been centered on defending the ability to produce and distribute stuff (music, video) that is original, knowing that the _facilities_ for this production and distribution are under continuous attack, but my right to produce is not actually in question.
Are programmers in danger of losing their right to produce, or is the perceived threat simply that anything programmers do will be patented by corporations and taken away from them? There is a point at which this begins to seem unreasonable. Somebody at Amazon _thought_ they invented one-click ordering, which is stupid but doesn't necessarily mean Amazon set out to 'steal' stuff from the public domain. I question the wisdom of assuming, from the start, that what YOU CREATE is so doomed that it must be 'subversive' to survive. I would suggest trying to remain visible and CREATING stuff, quite openly. Use contractual tools like the GPL to protect your interests. Don't assume you're so outclassed that you must go into hiding! We're looking at an era of much legal rule-changing. Some of the rules are changing to heavily favor corporations and piracy, by them, of intellectual property and other types of property and privileges. Some of these rules will be changed BACK once the consequences are clear. Act as if the world was fair and you had rights! Behave in good faith and don't knuckle under to the appearance of oppression. Act AS IF you had rights, know what they would be if you had them. Don't act like you are a criminal just because some other entity profits by criminalising you.
The last word is this- when you create, you set the rules. My CDs will have "All commercial rights reserved- noncommercial copying OKAY" at the bottom of every single one of them. If the RIAA manages to make (for instance) copying of tracks off audio CDs automatically illegal, I will happily participate in a test case: someone can rip my stuff and put it on Napster, and I will testify that I explicitly allow such noncommercial copying of MY CDs, thus no blanket rule can be made. The RIAA DOES NOT HAVE THE RIGHT to set MY rules, and my rules for my CDs permit noncommercial copying. I'm even spelling it out on the CD itself where it can't be missed- my wishes _will_ be respected. That's justice.