Slashdot Mirror
Developing Subversive Software?
e_lehman asks: "Software development is increasingly subject to corporate legal harassment. Suppose I want to write a program that I know corporate America won't like without being sued or arrested. How do I covertly find collaborators? How do I distribute the code? How can I distribute patches? How can I get user feedback and contributions? How can I prevent someone with a lot of resources from tracking me down? Producing "subversive software" must appeal to a lot of frustrated Slashdotters these days. How would you really go about it?"
"Examples of the problem are familiar: development of DeCSS brought police to Jon Johansen's home (Interestingly, Jon's two collaborators remain safely anonymous). Distribution of DeCSS brought onerous MPAA litigation down on 2600 and others. Development of CPHack landed Matthew Skala and Eddy Jansson with a suit from Mattel. Distribution of a driver for a barcode reader has put Michael Rothwell under legal duress. Openly defying corporate bullying is important, but grueling. Coding shouldn't always risk martyrdom.
Here are some stray ideas and questions in this vein:
- A program could be introduced to the net via a public access terminal. How common are these? Where are they? Is it easy to upload code? How do you then anonymously publicize your program?
- Code could initially be distributed in encrypted form with its function only loosely described. Lawyers would have no solid target until the key was released, which could happen once that cat was safely out of the bag-- say, after a hundred downloads.
- Do compilers slip information into binaries that could be used to identify the author? For example, do MS compilers sneak a registration number in there somewhere?
- Version 1.0 could include a cryptographic hash of a text message included in version 1.1, version 1.1 could inclue a hash of a message appearing in 1.2, and so on. This would let users know that that a newly posted version was indeed from the original authors, without identifying those authors.
- Gnutella and Freenet are obvious distribution models. But surely RIAA and the MPAA are scrutinizing them for vulnerability to legal bombardment. Will they really hold up? A sort of free-for-all model worked for distributing DeCSS; could that work routinely?
How would you go about developing, distributing, and maintaining 'subversive software'?"
I can see the charge now: "Conspiracy to Do Something"
The problem is this: if these files are originating at a BBS, the Man can just make that BBS' owner *start* logging or shut down. You can't have a single, stationary point of injection that can be traced to a person any more than you can just post it under your real name, because the effect is the same.
What's needed is a way to set up a "front" site and post your code there, without either being traceable to you, and without ever using the same front site twice. That way they can't catch you when you come back, since you don't.
This question sounds a little fishy to me. Maybe it's just my personal opinion, but we aren't ready to go underground yet, are we? For one thing, that would eliminate any sympathy that we might have from the mainstream (it's hard to imagine the public rallying behind a group of anonymous hackers.) Furthermore, our legal system will never change if we simply circumvent it. It's not designed to work that way. Without any (openly) dissenting voices, only the opponents of free speech will be heard. Hiding only reinforces the picture that the government has successfully been painting, of a tiny group of immature hooligans who pay lip-service to "free speech," but really just want to cause trouble.
I'm sure you all think I'm naive, and I'm underestimating the damage that a lawsuit can do, but it strikes me as incredibly cowardly to do otherwise. Personally, I've sent copies of the musical version of DeCSS (a link would be helpful here) to all my friends, so that they can play it on their radio shows. None of them have blinked. Like most "broadcasters" (including authors), they know that because of their position, it is their duty to be the first line of defense against the thought police.
(Aside: Why do all my friends have radio shows? Do hand them out at concerts or something? I want a radio show!)
MSK
Do you know that the phone company has a log of all phone calls going through its system ???
:bbs_number;
This way a small BBS will be "decrypted" immediately; FBI just needs to run a query like:
SELECT DISTINCT originating_number
FROM all_phone_calls
WHERE target_phone_number =
against the phone company's data warehouse.
Tigers respect lions, elephants and hippos. Maggots respect no one. (C) S. Dovlatov
1) E-mail
Setup a nym account with one or more of various nym servers out there:
nym.alias.net
redneck.gacracker.org
OR, you can get a paid for nym account with ZKS:
ZKS Freedom Net (They are taking applicants to beta test their Linux port now)
This takes care of having an anonymous bi-direction e-mail account that people can contact you through and will be secure from the attacks of a determined foe (be sure to change your reply blocks often though).
2) Publish the code somewhere publicly available, like the web or usenet.
The next problem is distributing your code. What you need is a means to publish the code anonymously.
Web
To contact sites like sourceforge anonymously, which provide you with a nice mechanism for releasing the code and storing it somewhere, you need a web anonymizer or an anonymous routing scheme like ZKS.
Several solutions exist to do this. In order of highest security:
ZKS Freedom Net
CROWDS
Anonymizer
Usenet:
Usenet is means of publishing your code that is even more resistant to censorship attacks than publishing the code on a website:
mail2news gateways. These allow you to post an e-mail message to usenet, preferably after you have anonymized it thru several remailers. Posting to usenet is an EXCELLENT mechanism for getting past the most determined censor. As long as you don't start spamming your distribution, and thereby driving your BI up, you can be pretty sure that your post will not get robo-canceled. If you want to be really fancy, you can encrypt the message, publish the password in another forum, and then post the conventionally encrypted message to aalt.anonymous.messages. This will defeat efforts to automatically find your post on usenet and then issue a third party cancel for it.
Here is a list of known mail2news gateways:
mail2news AT nym.alias.net
mail2news AT zedz.net
mail2news AT mixmaster.shinn.net
Send a message to one of the above e-mail addresses with "help" in the subject for instructions on how to use the gateways.
Python
Python
My own answer has been along these lines- I will create to the best of my ability and use the legal system to defend the interests of the people I'm creating for. That's sometimes meant GPLing software, when I could- my software is frankly not world-class, it's not really my area of expertise- and now it's beginning to mean that I must put together not only my recording studio, but also CD mastering and duplication, and even hosting for free audio. The studio's done and quite functional- CD mastering and even Video CD mastering is dead simple- duplication's going to cost me some serious money, I'll be taking out a bank loan when I have my ADAT paid off to get a duplicator- and hosting is beyond _my_ reach though I need it desperately.
All this is needed because I can't trust the commercial sector to handle it for me. The breakdown goes like this:
- Studio: the $75 an hour I'm asking is actually very low for a studio. This part is pretty straightforward- studios are service oriented and it's more a financial question than anything else.
- Mastering: mastering houses charge a _lot_ of money for what they do- the gist of it is that you can't seriously tailor the frequency range and soundstage of your CD while listening over pathetic little nearfield monitors. The need for an extra pair of ears on the project is somewhat counterbalanced by the fact that these days, mastering houses are increasingly forced to brutally compress their results until average levels are about 1 db down from peak. This sounds appalling but is louder than the competing songs on the radio
;P
- Duplication: currently having a burner will do- one nice thing about being a geek is ability to track down things like Mitsui CD-R media with process color surface-prints: it can cost six times what you can find cheap media for, and maybe twenty times what commercial CD materials cost, but archival quality is substantially better and honestly, there is a place for a quality argument. The point at which the commercial product is cheap crap at premium prices is the point at which the quality argument at reasonable prices starts to substantially work. The trick is you have to make all aspects _look_ professional- hence the process color media print, at 400 dpi carefully color corrected (the guy who does the CD printing called this 'overkill', to which I replied 'good!'
;) ) When things develop to the point that I need more duplication, it will be time to talk to my bank about the next bank loan- currently I'm paying one off for my 20-bit ADAT studio recorder, it seems reasonable to think in terms of another to get a serious CD duplicator. I'm also excited about the possibilities of producing Video CDs- which can be played in DVD players. Hooray, an accessible format for short video that can piggyback on the leverage of the stinkin' MPAA! I may get a DVD player just to test my VideoCDs on :)
- Hosting: This is the killer. I don't have any way to offer _this_. I have done some research, however, into what needs to be out there.
This last one is the hardest one, and I'm not sure how to address it- and this post is about how I'm trying to address each issue personally instead of announcing that 'someone should' do this stuffBasically, I see a pressing need for just plain media hosting on a massive scale. It could well be restricted to mp3 and ogg vorbis (hell, include wma). It could also be restricted to 128K on two assumptions: one, it'll be important to not have everyone doing 320K and using up two and a half times the resources for their stuff, and two, it's low enough quality to justify being giveaway stuff and high enough to basically enjoy. It will not pay musicians one cent for the downloads- on the other hand it will not _charge_ musicians a cent for the hosting. Most importantly, it will have a usage agreement that protects both parties, asks only nonexclusive rights to host the material, claims no copyrights to the material, and requires any contract changes to be explicitly signed off on by the artist. (This last one is the main thing mp3.com just lost in their contract alteration).
Instead of instantly planning to fund the thing off ad banners (aren't we all sick of that by now?) I propose the hosting service be incorporated... as a 501c3 nonprofit corporation. This is a VERY IMPORTANT point for protecting artist rights in the current climate. The 501c3 must have an explicitly spelled out mission statement that it must abide by to maintain its nonprofit status. It can seek grants- it could even solicit money from the RIAA labels, 'leeching' off them to provide its services in perfect safety. It can pay server operators a relatively decent salary for doing their jobs- you wouldn't have to go hunting for MCSEs, you could spec out a proper high-load server farm and pay to have it run properly, nonprofit doesn't mean it can't pay employees a normal wage. Finally and most importantly, a 501c3 answers to the IRS and has to follow certain rules or cease to exist. It CANNOT be bought out, either in a takeover or a merger, by a commercial corporation. It can only be bought/merged with another 501c3- and for this to happen both 501c3s must have essentially (literally?) the SAME mission statement, not differing ones- and it is so hard to change a 501c3's mission statement that you might as well disband it and start a new one. And when you disband a 501c3, all assets it has must be distributed to OTHER 501c3s covering the same basic area.
When you look closely at these things (I have a friend who is expert at framing charters for 501c3s and knows all about them and has a terrific batting average for his 501c3 proposals being approved), it's amazing- almost GPL-like- it's a form of legal incorporation that uses the meanest parts of the US government (the IRS!) to protect you against rampant corporate abuses. If you are a 501c3 no commercial corporation can touch you- they can give you money for a tax break, and that's about it. They can't buy you out. They can't shut you down- even if they for some reason got totally Mafialike and pressured all your boardmembers to disband the corporation, your resources simply get distributed to other 501c3s doing the SAME JOB. It's like the liquid metal Terminator- no amount of force can destroy you! All watched over by the IRS with gimlet eyes. You don't have to vigilantly guard against, say, major labels subverting you and making you a profit-earning subsidary. The IRS will vigilantly guard against that :)
I'm not sure what the software sphere would need in terms of a 501c3 to develop ideas that need to remain free of corporate control. I do know the needs of my own sphere- music, media in general, video as that becomes a factor. The music sphere needs free hosting because a musician who's even slightly prolific will rapidly exceed the bounds of any personal site or typical hosting service, and it seems like most/all of the music/mp3 hosting services on the net are RIAA label controlled or copying their contractual provisions.
In order for musicians to be able to function outside the confines of RIAA ownership, they need to have the ability to own the means of production (easy: CD burners and duplicators and Internet sales) and the ability to circulate music to people who don't know the music yet. It really isn't necessary to have one recognizable site for people to _browse_ from (mp3.com is full of bands who've never been listened to- I always got most listens from mentioning what I do on Slashdot), but it is necessary to have a site with acceptable policies/contracts which won't need to be changed or moved. Wherever it is, there needs to be a fair amount of stability so that the musician can distribute CDs, posters, handouts with the URL on it. Because of mp3.com's change of contract, I have posters, CDs out there, even 24 cassette tapes that haven't even been _recorded_ yet, all with the mp3.com addy on them, which is now obsolete.
The common factor here is that it's all about giving _my_ material a base of operations that's not easily destroyable by corporate interests. I'm not attempting to, say, sample RIAA label acts and use their music as part of my composition. I am not negativland ;)
A very good question would be, how important is it to pursue development on IP that corporations have claimed as their own, and how important is it to defend IP that is actually original? Most of my response has been centered on defending the ability to produce and distribute stuff (music, video) that is original, knowing that the _facilities_ for this production and distribution are under continuous attack, but my right to produce is not actually in question.
Are programmers in danger of losing their right to produce, or is the perceived threat simply that anything programmers do will be patented by corporations and taken away from them? There is a point at which this begins to seem unreasonable. Somebody at Amazon _thought_ they invented one-click ordering, which is stupid but doesn't necessarily mean Amazon set out to 'steal' stuff from the public domain. I question the wisdom of assuming, from the start, that what YOU CREATE is so doomed that it must be 'subversive' to survive. I would suggest trying to remain visible and CREATING stuff, quite openly. Use contractual tools like the GPL to protect your interests. Don't assume you're so outclassed that you must go into hiding! We're looking at an era of much legal rule-changing. Some of the rules are changing to heavily favor corporations and piracy, by them, of intellectual property and other types of property and privileges. Some of these rules will be changed BACK once the consequences are clear. Act as if the world was fair and you had rights! Behave in good faith and don't knuckle under to the appearance of oppression. Act AS IF you had rights, know what they would be if you had them. Don't act like you are a criminal just because some other entity profits by criminalising you.
The last word is this- when you create, you set the rules. My CDs will have "All commercial rights reserved- noncommercial copying OKAY" at the bottom of every single one of them. If the RIAA manages to make (for instance) copying of tracks off audio CDs automatically illegal, I will happily participate in a test case: someone can rip my stuff and put it on Napster, and I will testify that I explicitly allow such noncommercial copying of MY CDs, thus no blanket rule can be made. The RIAA DOES NOT HAVE THE RIGHT to set MY rules, and my rules for my CDs permit noncommercial copying. I'm even spelling it out on the CD itself where it can't be missed- my wishes _will_ be respected. That's justice.