Slashback: DRM, Eldred, Aridity

Slashback's updates and corrections tonight include Declan McCullagh's photos from the Eldred / Lessig Supreme Court appearance, a denial from Microsoft that the company is planning to charge customers extra for security features, a reminder about your chance (well, if you're an American) to tell your elected representatives what you think about mandated DRM technology, and more. Read on.

Looking sharp in their suits. Declan McCullagh writes: "Here are some photos from after the arguments, including activists who slept on the courthouse steps, an exhausted but optimistic Larry Lessig, and the Internet Archive bookmobile, which visited Washington DC for the event."

A new meaning for 'decimation.' Martin writes "Here is a good write-up on what happened with the whole sendmail hack a week or so back. Apparently every 10th copy of the source that was downloaded from sendmail.org received the trojan'd version. Nice to see a linux hack getting some attention for a change, instead of the usual MS bashing. Here is the write-up."

I won't be charging entrance fees to Shangri La, either. After a report posted the other day indicating that Microsoft was considering charging customers more for certain security features, Software writes "According to a little snippet from Yahoo News (look towards the bottom), Microsoft won't be charging for security updates after all. As Yahoo puts it, 'Microsoft, however, said Mundie was referring to an internal proposal to begin offering stand-alone security software in the future.' No confirmation of this on Microsoft's site for the press"

As denials go, that seems like a weak one.

Where is Deep Fritz's deep game? screenbert writes "In an exciting best-of-eight chess match-up, the human is leading the computer 2 1/2 to 1/2. I find the fractions of winning amusing, almost as amusing as seeing that the best-of-eight series will take at least nine games since one of those games was a draw. For a general overview there is a good review here(1) or here(2) or here(3). And to save the 38 mandatory karma whoring comments I'll say it: Imagine if Deep Fritz ran on a beowolf cluster."

So it's back to BYOB. gnarly writes "An earlier report of detection of water masers on extrasolar planets has been debunked."

Workaround: Get your congresspuppet hooked on Free software. Several readers wondered why (complained that) the post offering a link to the place where you can submit your comments on DRM technology to the Senate Judiciary Committee was posted section-only. So here's a reminder; if you live near D.C. (or get a chance to stop by a local office), perhaps you'll be able to stop to chat a bit about how you determine who gets your vote. (Maybe you should check out the sections, too.)

Press and Vulnerabilities in *nix

"Nice to see a linux hack getting some attention for a change, instead of the usual MS bashing."

Is it not true that whenever there's a *nix vulnerability it gets posted on CERT? Is this really a "change?" Recall that there was a trojaned version of SSH going around that got plenty of attention. Maybe these "hacks" don't get as much press because there aren't so many of them. Just remember that many of the high-profile vulnerabilities have affected M$ products. If one affected a *nix product, I'm sure it'd get just as much attention, as such vulnerabilities cannot be ignored, especially by administrators.

Re:Press and Vulnerabilities in *nix

[NanoGator]

"Recall that there was a trojaned version of SSH going around that got plenty of attention. Maybe these "hacks" don't get as much press because there aren't so many of them. "

Um, no. I can recall one week (3-4 weeks ago?) where the front page of Slashdot had a couple of anti-MS rantings. Go a level or two deep in Slashdot (not the main page), and there was a pretty nasty Linux worm or something floating around. Wish I had the details on me. I just remember somebody's post with a +5 moderation asking why it didn't make the front page like the similar MS stuff.

The fact is that /. finds MS stories juicy. The more the details are twisted and bent, the more contraversial the story is. This means more people commenting, and co-incidentally, more banner ads getting exposed.

It's gotten to the point that one cannot rely on the article summaries. Anybody remember the 'Microsoft kicks Sony out of Ce-Bit' article last... March or April I think? Microsoft didn't throw Sony out of a Tradeshow. Sony was breaking tradeshow rules and MS reported them. Compromises were offered, but instead Sony packed up all their PS2s and stormed out like a little kid throwing a tantrum. Despite that Sony broke the rules and refused to play because they weren't allowed to do things other trade show attendees couldn't do, MS is the one that got the bad press for it on Slashdot. Sony cheats, MS gets bad press out of it. Yeah, that's fair.

Sorry, but the Linux Community here on Slashdot has no right to complain about that comment. Stop dishing the shit out if you can't handle some of it getting thrown back.

Re:Press and Vulnerabilities in *nix

First off, it should be pointed out that the original message was not about the /. community. It was about publicity in general. Perhaps what you are saying about /. is true, that anecdote is certainly not unbelievable, but that is all irrelevant. /. may have an anti-MS bias, best illustrated by the icon showing Bill Gates as a borg, but publicity about vulnerabilities in other OS' can appear elsewhere. /. is under no obligation to be perfectly unbiased. If you don't like that, start visiting sites that ARE under such an obligation.

Oh, and BTW, regarding that last remark about the Linux community here having no right to complain: That's assuming that every single member of the Linux community here has those attitudes. Not exactly a safe assumption to make. Second of all, it was a vulnerability in sendmail, not Linux, so I'd say Linux users have every right to complain about it.

Re:Press and Vulnerabilities in *nix

[qortra]

Sorry, but the Linux Community here on Slashdot has no right to complain about that comment.

Much of community here on Slashdot that engages in what Martin would call "MS Bashing" are actually MS OS users, so I would probably not use the term "Linux Community" to generalize them. In fact, these are often people who have been victimized by MS related viruses/worms, and so they actually do have the right to complain.

I'm sure that I can find for you plenty of trojaned win32 software that never made it to Slashdot. So your argument that one particular worm ("or something" as you so specifically point out) not being mentioned indicates the single-mindedness Slashdot is void.

Finally note that although sendmail is a program that was often used in GNU/Linux systems, this was not a "Linux hack" per say. In fact, I believe the ftp server that was compromised was actually running freeBSD.

More than that, MS flaws usually come about as a result of careless programming, whereas this problem was probably the fault of the web admin at Sendmail (a company with decidedly few resources). As long as MS has $40 billion sitting in the bank and their products are still insecure, I believe the computing community at large as the right to bash them just as much as they please.

Irony?

[SubtleNuance]

Nice to see a linux hack getting some attention for a change, instead of the usual MS bashing.

sendmail != GNU/Linux.

...and i hope the GNU/Linux bash -- subtle as it wanted to be -- wasnt missed by the slashdotters... Isnt a little strange do some bashing while complaining about the "usual bashing"?

Pot this is kettle; Kettle, Pot.

Re:Irony?

[NanoGator]

"Isnt a little strange do some bashing while complaining about the "usual bashing"?"

No it's not unusual. If somebody takes a poke at MS, you're not going to care. But when somebody takes a painful poke at Linux, suddenly you understand what your pokes at MS feel like.

It's not hypocracy, it's illustration. A very effective one at that since it got a reaction out of you. A lot of the anti-MS shit that flies around Slashdot (and usually ends up as +1 Funny) is every bit as ill-founded as the Sendmail/Linux relationship. Yet, it still flies around and people pat themselves on the back. What reason would they have to tone it down if they don't know what it feels like?

You can dismiss his comment as hypocracy if you like. I wouldn't, though. You should see it as a reflection of what the GNU/Linux community puts out. If that kind of comment bothers you, you lose your right to complain once you start making Windows insecurity jokes.

Re:Irony?

[RobotRunAmok]

Yeah, but hasn't it been pretty well established here that all the silly dollar-sign-for-esses posts and virulent Anti-MS vitriol here is coming from the high school kids/L33t HAXX0rs? You're not gonna get that crowd to change merely by talking sense. For them, MS is like some comic-book super-villain.

As far as the whole quid-pro-pro thing goes, you gotta figure that there is probably very little you could do to some teen who gets so worked up over a computer operating system that their better-adjusted classmates haven't already done to them, in spades.

There's no groupthink but whining about groupthink

[0xdeadbeef]

Nice to see a linux hack getting some attention for a change, instead of the usual MS bashing.

It's nice to see that now, since Linux has gone mainstream, all the cool kids have turned from criticising the straw man of mindless Linux promotion to the straw man of mindless Microsoft bashing in order to be the outsider rebels.

Say what you will about the Microsoft anathema, no Linux vendor has promoted the forced inclusion of DRM technology, or, before finding that religion, poo-pooed the importance of security. Through its entire history, Microsoft has given us plenty of justification for criticism. If you don't understand that, then you're as dim as the 'slashbots' to which you feel superior.

Re:security

[dirvish]

It seems like a paid microsoft security program would be a huge target. I am sure there is nothing more some people would like than to throw mud in M$ face by hacking there extra secure pay thingy. I would find it humorous if a bunch of people paid microsoft money for extra secure software just to have it get hosed worse than anything else.

Re:Goddamn Micro$oft

[WeaponOfChoice]

I think it's more like charging more for seatbelts and crumplezones myself.

And with this model sir, for only a little more, you and your family will enjoy a full 30% increase in their chances of survival in the event of a head on crash...

On the other hand you could look at it like brakes: they keep you alive and need regular fluids and servicing that doesn't come free...

On DRM and Frtiz...

[carlmenezes]

DRM is wrong. Given the fact that it's a law that the person who buys the software has the right to make a backup copy, it's a perfect example of corporate America pushing the envelope on what they can get away with - as in, keep making it more difficult to make a backup. What DRM SHOULD be is a technology that allows the purchaser to make a backup, but not distribute that backup - something along the lines of authentication that the person installing the software from backup is who he says he is (using smart cards comes to mind here). In it's current form, we need to fight DRM as it is nothing but another monopoly tool.

On a different note, Fritz is going to get a thorough beating. Why? Because Kramnik is known for his defensive play and he even bested Karparov using the Berlin Defense. Now, what is needed is either a LOT more processing power to search for the right moves, or a little unpredictability (which I think would be better). GMs and IMs use programs like Fritz everyday for practice and hence know it's playing style. Though you can train Fritz depending on what game databases you feed it, it still plays like a computer. Contrast this with the fact that a program called Arasan beat Vishwanathan Anand (currently no. 2) in a best of three Blitz tournament, because it had trained on Anand's games, AND, the programming team drastically changed it's playing style before the match. It is easy for a computer to change it's playing style and still play well - not so for a human. I feel this is what they should be concentrating on - unpredictability.

Every tenth download

[MavEtJu]

If the evidence confirms the theory, the hack would definitely be a strange way to compromise a downloadable file, said Marc Maiffret, chief hacking officer for security software firm eEye Digital Security.

"I'm not sure why they would want to do that," he said.

Come on guys, it's not rocket-science. It's all just to prevent alarms going off.

Scenario 1: I just downloaded an infected version of sendmail and verify the checksum: failed. Hmm... let's try again. Aha, it's okay this time.

Scenario 2: I just downloaded an infected version of sendmail, verified the checksum and informed the people at sendmail.org about it. They say: nothing wrong here, try again. I try again and it's okay this time.

Scenario 3: As 2, but the people at sendmail.org get too many complaints and start to get suspicious.

Scenario 4: I just downloaded an infected version of sendmail, verified the checksum and informed the people at sendmail.org about it. They say: nothing wrong here, try again. I try again and it's okay this time. I kept the broken version and find out what the difference is.

How often do the scenarios happen?

Scenario 1: 99% of the time.
Scenario 2: 0% of the time.
Scenario 3: 0% of the time (less than 2).
Scenario 4: 0% of the time (less than 2).

With the OpenSSH hack I tried to re-download the broken version twice too before I started to get suspicious. I wouldn't have been suspicious at all if it worked fine the second time.

Edwin.

Re:Elastic Clause

That is NOT what the clause was intended to do.

I disagree. That IS exactly what it was intended to do. Quoth the Constitution (Art I, Sec 8):

"To make all laws which shall be necessary and proper for carrying into execution the foregoing powers, and all other powers vested by this Constitution in the government of the United States, or in any department or officer thereof."

The "foregoing powers" are the enumerated powers of Congress, one of which happens to be:

"To promote the progress of science and useful arts, by securing for limited times to authors and inventors the exclusive right to their respective writings and discoveries;"

So calling in the necessary and proper clause is perfectly acceptable. His claim is that the CTEA is necessary and proper to carry out the promotion of science and useful arts. I stress again that this is an acceptable argument.

HOWEVER, this is Eldred's point; the CTEA is NOT necessary, nor is it proper, in promoting science and art. Retroactive extensions do not promote.

This case is about whether the CTEA is necessary and proper, so I find his reference to the nec. and proper clause to be a bit daft. Yes, thank you for telling us that Congress is allowed to make good laws. If this wasn't a enumerated power then maybe there would be a purpose for calling attention to the clause. But in this case all he's done is say Congress can make laws about copyrights and patents. Duh. Nobody is challenging that Mr. Olson.

Re:Didn't focus on First Amendment

[Loki_1929]

"Lessig's approach to go back to the copyright clause and not focus on the first amendment issues was not the right approach."

Considering the fact that the supremes basically dismissed the First Amendment approach immediately, I'd say focusing on it now would be a bit of a mistake. That being said, I think a well-developed argument against the insanely long extended copyrights based exclusively on the idea that they are detrimental to the free and open exchange of ideas (read: free speech), and that the costs outweigh whatever benefits are derived from the latest extension to copyrights would have at least as much of a chance in court as does the current arguement. I also think that someone needs to point out, in response to the justices' repeated questions about the ensuing copyright chaos that would follow a decision against the mouse act, that chaos already reigns supreme in the world of copyrights. Patents and trademarks are fairly well tracked, but copyrights are most certainly not. If they want to keep copyrights more simple, strike down every single extension and go back to the original 14 years. (I think it was 14, could be wrong - too lazy to double check) If the whole of Disney's entertainment empire rests squarely on its control over an imaginary rodent, then perhaps the investors should re-evaluate their portfolios.

Put simply, if your business sucks, no amount of legislation can keep you afloat forever, and shame on those elected officials who would help you at the expensive of those they (supposedly) represent.

Re:Goddamn Micro$oft

[umStefa]

Except that Ford does not have a virtual monopoly.

Micorsoft's controls the desktop OS market and hence, if they decided to charge for security features the majority of people would have no choice but to spend the money.

Of course people could always switch to Linux (like I did) but the associated frustrations with initial configuration would prevent most users from sucessfully making the switch.

Political Reality

[sterno]

Let me ask you this: are you more likely to vote a politician into office because of his position on DRM or his position on military action in Iraq?

The problem is that, in a time when there are really serious concerns, something relatively obscure like DRM is going to get pushed to the bottom of the priority list. The state of the economy is a whole lot more important than the state of DRM. Both issues concern me, but one has to weigh them very differently. Hard to seriously vote against somebody who's in the RIAA's pocket but is willing to make a stand against military action in Iraq (if you tend to lean that political direction).

Copyright motivates creation of works after death?

According to the paper,

The court, [Olsen] said, should not say that 99 years is too long for a copyright to exist, noting that the works of Herman Melville and Franz Schubert ''weren't valued until many years after their deaths.''

Someone please explain to this taxpayer employee that the purpose of copyright is to encourage writers to contribute more work to the public. No amount of copyright extension, illegal or otherwise, would be sufficient to get Melville and Schubert to rise from their graves and start creating again.

MS/Linux Bashing

[KagatoLNX]

Why does this crap bother everyone so much? For anyone who cares, try the following science experiment:

Hypothesis: Microsoft software is buggier and less secure than Linux software.

Experiment: Debian 3.0 and Internet Explorer 6 SP1 are recent releases (i.e. good examples of respective software packages). Test each one's security needs by updating each from their respective security archives. The one with the most fixes is the most buggy (this assumes bugs are the norm and fixes indicate their prevalence in the code, history bears this out).

Results: Debian has about 8 updates. IE6 SP1 has about 15 critical updates. The IE updates are five times the size of the Debian ones.

Analysis: IE should have the advantage here. It is only a web browser against an entire distribution. It also was released noticibly later, giving less time to discover bugs.

Conclusion: Hypothesis is supported.

Any other experiments?
How about a histogram of bugtraq notices? How about one weighted by severity?

Software is software. It all has bugs. The only way to combat it is good development practices--things like rigor, testing, attention to detail, lots of review, and careful design.

MS has shown (and still shows) that it puts these goals second to political maneuvering, time to market, and (sometimes underhanded) competition.

I damn well will bash a business that is only after my pocketbook (MS) every time they screw up. I also will vehemently defend people developing code for all to use (OSS). Even if they were equally buggy, I'll pick goodwill over greedy corporation any day.

Sorry, but Open Source and Microsoft (a.k.a. good versus evil :) is not Tommy Hilfigger versus Ralph Lauren. If you want to argue fashion go read Cosmo or Vogue. I care about nothing less or more than solving problems with computers in an open, useful, honest, secure way that doesn't make me a corporate whore.

I just wish that "Visual Basic" and the like hadn't convinced a bunch of second rate graphic artists that they were "programmers". There's nothing more disheartening than being surrounded and outnumbered by loud idiots desparate to cling to the greedy corporate teat that enabled them do something other than flip burgers.

Microsoft to replace the Zone Alarm

[gregm]

I've been waiting on this one for awhile. It has to drive them nuts to have a firewall like the zone alarm reporting all the behind the scenes discussions the print spooler subsystem etc are. having with someone on the net. They'll probably include some lite version of their zone alarm for free and a pro version for money... think defrag... Of course neither version will tell us anything about any of their covert communications with our computers.

And think of all the money they're losing out on to McAfee and Norton for antivirus software. If I were a conspiracy theorist...oh wait... I am, I might think they've purposely not cleaned up outlook just to create a market that they can swoop in and take over like they're known to do. bastards

Re:I think screenbert needs to play more chess

[skyhawker]

It also seems that many folks don't understand why such matches have an even number of games -- in order to equalize the number of times each player plays as white or black. Also, it's theoretically possible for all games to be drawn, so there's never really a guarantee that any match will be decisive.