To give you an idea about how slow Apple are about patching security holes, and to add another data point to the description:
I reported the security issue known as CVE-2009-1697 (which is included in this large patch release). The e-mail back from Apple confirming receiving my report of this issue is dated January 7, 2009 in my e-mail inbox. That's about half a year ago.
Now, granted the security bug I reported is actually very difficult to exploit and do anything actually useful with. Basically, if you used XMLHttpRequests in Safari and requested a URL ending with a newline, it would end up in the final HTTP request as double newlines. I.e. the HTTP header would be terminated prematurely (before the Host: header, significantly) and thereby allow javascript to access files hosted on the default website on the same server the javascript was served from. For example, if victim.example.com is served on the same IP address as evil.example.com - javascript on evil.example.com could use this to request files on victim.example.com.
In other words - you could do cross-site-scripting targetting another web site served on the same IP address as the web site hosting the exploit.
Still, took them about 6 months to patch it and actually roll it out an update, it seems. Heh.
Running your web sites on non-standard ports is a great way for your web site not to be accessible to users accessing the internet through firewalls that limit egress traffic based on TCP destination ports.
Actually, this isn't as bad an idea as you might think.
Consider what Adobe's goal in all this is. They want to be able to stream an entire video to your computer, in anticipation that you will pay for it. They could conceivably do this by transmitting the video to the presumptive buyer encrypted. At purchase, Adobe's servers would transmit the decryption key.
Now, true, this won't do anything to stop anybody from copying the video *after* it's been paid for. But in this particular case, encryption technology *can* be used to solve the particular problem of being able to pre-stream video content to a potential buyer without allowing him to view the material, in a cryptographically sound way.
I'm not sure if this would fit under the traditional definition of DRM though -- after all, the scheme I propose is cryptographically sound.:-P
I beg to differ. The attitude of "what have you done for me lately" isn't bullshit.
In most lines of work, you do your work that you're paid to do, get your paycheck and that's all the compensation you'll ever get or should get. You don't expect to be paid throughout the endurance of said work. Imagine turning up at a former place of work in say 10 years and telling them, "hey, I see you're still using that data center I designed for you 10 years ago, give me more money", you'd be laughed out of there.
Now, the current model of selling music recordings doesn't quite work like that. You record your music, then you sell it hoping to get some or all of that money back. Even make a profit if you're lucky.
Finally, just because there's a market for nostalgia doesn't mean that copyrights should automatically span so that artists can cash in on it. What you'd call nostalgia, I'd call history, or cultural heritage, and should not be locked up to be only sold on the whim of the copyright holder.
I guess the difference between us is not one of principle, but of degree. You want something like 25 years. I want something closer to 5 years, and to make clear that copyright protection preventing duplication should only cover *commercial* duplication of said work. Older works are valuable, yes. That's precisely why commercial distribution of such works shouldn't be bottled up longer than neccessary. 5 years is plenty of time to have a monopoly on a work, to have an opportunity to turn a profit on it.
It is clear beyond a shadow of a doubt what is meant by 'normal exploitation' and flat-out destroying the commercial market for private copies is definitively in conflict with it.
The existence or even the prevalence of authorised copies on the Internet do not make it impossible to sell authorised copies. Whether that is hurting or helping the market for authorised copies is debatable -- clearly not "destroying the commercial market for private copies" "beyond a shadow of a doubt". The market for copies is not a zero sum game. If somebody pays according to going rates for 10% of what recordings he has in his possession, but pirates the rest, he has 10 times more than he would have had had he not copied anything. It's unlikely he'd suddenly spend 10 times more on authorised copies if it became impossible to pirate stuff tomorrow. In essence, the group of rightholders at large has not lost anything, while that person has gained in the recordings he has in his possession. I don't think this is a bad thing.
I would strongly disagree that explicitly legalizing noncommercial reproduction of copyrighted works is "ripping out the heart of the Berne convention and pissing on it" as you so colourfully put it. If you want to talk about the heart of the principle of copyright or the Berne convention, you have to go back to the time where the means of duplication of recordings was a tool of power wielded by the few. The original intent of copyright is to prevent profiteering of other people's work, not to stop noncommercial exchange of such recordings. The current incarnation dates back to 1971 -- where nobody could ever dream of an information paradigm shift as significant as the Gutenberg printing press -- the Internet. Nobody wants a society where an author toils away at a work, only to have it stolen from him and sold. Such rights of commercial exploitation by the author should be respected and preserved.
As you say, the US copyright law has a four factor test to determine what is and what isn't fair use in the eyes of US law. That in itself sets precedent -- the determination of what is and what isn't fair use (setting criterion to implement a possible definition of fair use) is a determination to be made not by treaty, but by national laws.
Finally, I would agree with your point that treaties are just words on a paper in the end if somebody disagrees with them. The point was to defuse the argument that the Berne convention does not allow for such reform to take place. It does. You could make the point that it doesn't really matter in the end though, since if the other parties to the convention decide they don't like how you interpret the convention, the treaty is just as little worth as if it had been broken by Sweden first.
EUCD, article 5, paragraph 2: Member States may provide for exceptions or limitations to the reproduction right provided for in Article 2 in the following cases:... (b) in respect of reproductions on any medium made by a natural person for private use and for ends that are neither directly nor indirectly commercial, on condition that the rightholders receive fair compensation which takes account of the application or non-application of technological measures referred to in Article 6 to the work or subject-matter concerned.
That explicitly permits a member of the European Union to permit noncommercial reproduction of copyrighted materials. What is "fair compensation" is determinable by individual member states.
Also, with regard to the Berne convention, it plainly states that exceptions to restrictions of reproduction can be made if "such reproduction does not conflict with a normal exploitation of the work and does not unreasonably prejudice the legitimate interests of the author." It simply doesn't get any more plainly open to interpretation than that. No words are being twisted here.
Not to mention Håkan Lans, the inventor of a key technology used in colour computer graphics among other things, for all the good the patent system did him.
The Berne convention leaves a lot open to interpretation.
Berne, Article 9, paragraph 2: It shall be a matter for legislation in the countries of the Union to permit the reproduction of such works in certain special cases, provided that such reproduction does not conflict with a normal exploitation of the work and does not unreasonably prejudice the legitimate interests of the author.
Rick Falkvinge (the leader of the Swedish Pirate Party) has written a great analysis of this on his blog -- unfortunately it's in Swedish:-/
Hey, you have plenty of smart forward-thinking people over there in the US too. The fact that a dozen or so of our MP:s (in the party who have traditionally been one of the most staunch defenders of the copyright status quo) have finally gathered together enough courage to break from the herd on this issue doesn't mean anything will necessarily happen any time soon. They're still a minority.
The most depressing part is that, as far as I've seen, this has been a completely mono-partisan move by dissident members of parliament belonging to our moderate/conservative party, who are currently the major part of the incumbent coalition in our government. Our so-called opposition is too busy to oppose the incumbent coalition on any and all issues to be seen allying themselves with a group of members of the Moderate party, even a breakaway faction.
Wouldn't this violate voter privacy? If the only paper ballot you have matches the actual vote case, you could take a snapshot of it with your cellphone and show to the guys who paid for your vote. A major point with secret ballots is that you do not have a paper trail, so you can lie to anyone instructing you to vote for a certain party.
Excellent point! Hadn't thought about that.
You could take a snapshot with a cell camera today, but there's no way to prove that was the actual vote you cast. If no other ballot papers actually exist -- well -- then it would be possible.
There's generally not much wrong with paper voting, as long as the process is totally transparent, but there are a few ways you can cheat with paper voting, but generally it's a pretty good system.
There are a lot of smart people asking -- how can we make electronic voting as good as traditional voting with slips of paper? What if that's the wrong question? What if instead, paper voting could be made *better* with the advent of electronic technology?
There was an article a week or so back describing some place printing ballots on demand. What if paper ballots were printed on demand, but the people printing them are the voters? A machine could be hooked up to print a ballot when a voter presses the correct buttons, and would only print out one ballot per voter. The ballots themselves would also have a barcode on them with a code certifying which machine printed them. The printers would count how many ballots were printed, and if that number doesn't match the number counted, that'd signify a problem -- either the machines were tampered with, or the physical ballots.
Now, that'd still make it possible to print excessive ballots from a printer, but then the number of votes wouldn't match the number of voters, and thus, number of votes cast.
To fix that, you could use some kind of public key cryptography system. In order to vote, you are sent a voter registration card, which contains a single-use private key on a 2D-barcode, which in turn is signed by whatever authority compiles the eligible voters list. That private key in turn is used to sign a message that simply says "I voted" and nothing else. That would eliminate the possibility of faking lists of who voted, except if the private key itself was falsified to start with, or if multiple such keys were assigned per person.
But that's okay. Now there are only three possible attack vectors (that I can think of) -- key falsification (only possible if you're part of the authority that issues voter identities), key theft (possible if you rifle through the mail of whoever's identity you want to steal), and vote changing (would require tampering both with voting machines *and* with paper ballots).
The key theft threat can be mitigated by rigorous identity checks -- posession of the proper private key should not be sufficient to vote -- some kind of ID should also be neccessary, and the key falsification threat can be minimized by *very* rigorous inspection of whatever authority issues said keys, and the vote changing scenario is made more difficult than it used to be.
Now, such a system would probably never be implemented due to cost concerns. But it'd probably be better than the paper voting we have today, and it wouldn't break the secret ballot, nor would it make the system less transparent. It'd basically be the old system with a parallell electronic system to ensure whoever counts the paper ballots are honest. There are probably other flaws too, I don't know.:-)
Everything I've seen so far indicates it will be incredibly difficult and expensive to thoroughly decontaminate a spacecraft in order to ensure that Earth-based organisms don't "piss on the Petri Dish".
Actually, pissing on the petri dish wouldn't be such a bad thing, since urine is sterile.:-)
Bear with me, I haven't actually worked with Token Ring networks, but from what I seem to remember from a networking course I once took -- Token Ring is an implementation of the physical and data link layer. That leads me to believe there's nothing preventing you from running TCP/IP over Token Ring. For all I know, my IP traffic may be traversing some Token Ring networks on my way to posting this. (I seriously doubt it though.) IP is IP after all.:-)
Anybody wanting to develop a smart electricity grid should take a look at that document, includes lots of information about hazardous voltage drops and other pitfalls that can be avoided.
[...] it's been ruled multiples times by the courts that downloading for personal usage is legal. Also that uploading is legal, as obviously to download, someone has to upload.
Your logic is flawed.
What you're saying is akin to, "murder must be legal, since being murdered is legal, and for somebody to be murdered, somebody must be doing the murdering".
One possible rationale behind laws that say downloading is illegal while uploading isn't, is that there is no practical way for somebody who is merely using a network download can possibly know whether the copyright holder has authorised such distribution. For all you know, the downloads may be sanctioned.
However, when making a file available, you're expected to clear it with the copyright holder. On some level this makes sense, as long as you think along the lines of traditional producer->distributor->consumer lines, and expect normal people to be passive consumers.
The fact that the Internet doesn't actually universally work that way any more, however, has changed the balance. Everybody's uploading and downloading these days, often uploading and downloading the same file simultaneously.
To apply the same logic to modern peer to peer technology, you'd have to change the distinction from uploader and downloader, to a distinction between the person who ripped, encoded, and put the first copy online in the first place, and everybody else. That would effectively decriminalize peer to peer file sharing, although files would still enter the system illegally. Once they're in the system, they'd effectively be fair game though.
I'd prefer the changes to go a bit further myself. Non-commercial copyright infringement should be downright legalized. The copyright system was conceived in the age of the printing press being an instrument of power in the hands of relatively few people -- not a society where practically everybody has access to a global information and media exchange network -- an own personal printing press if you may.
I'd guess it's inconvenient because of the added compexity another set of wires running through the house...
Also. how do you run typical modern electronics at 48 Volt anyway? Most integrated circuits seem to operate nicely at voltages close to 5 Volt, so you'd need to step the voltage down anyway somehow... and converting AC/AC is easier than converting AC/DC.
Well... with the widespread usage of switching AC/DC wall warts -- at least converting AC/DC is no harder than converting 48VDC/DC.
Something tells me perhaps the best of both worlds would be a drive that (I think IBM) was working on that had a large array of small read/write heads, and read data by shifting the platter on a x-y plane, where the whole array of heads could pick up bits at the same time as opposed to the 4-8 of a normal spinning HDD.
I always wondered why they don't do that for optical drives. That could certainly improve performance. Even with two read heads you could stamp your CD-ROM reader with 104 X max.:-)
The reason faster drives aren't made now, from what I've heard, is that the actual discs can't handle the centrifugal stresses and shatter as such high speeds.
Yes, in theory. But why does any reasonable user need that much power?
I'm genuinely curious. What *is* it that drives the demand for power supplies that can source that much power? I run a home file server (a crappy Pentium II -- 266 MHz, yay) with 7 hard drives stuck in it off a rather wimpy power supply -- almost certainly no more than 350 W -- probably closer to 250 W. (Not sure what it is, and I can't be arsed to go check.)
There isn't really any controversy over whether the Americans went to the moon. Pretty much every single claim that they didn't has been convincingly debunked. And if the conspiracy theorists don't believe those debunkings -- do you really think they are going to believe some images from an unmanned Japanese space probe?
Slashdot Mirror
To give you an idea about how slow Apple are about patching security holes, and to add another data point to the description:
I reported the security issue known as CVE-2009-1697 (which is included in this large patch release). The e-mail back from Apple confirming receiving my report of this issue is dated January 7, 2009 in my e-mail inbox. That's about half a year ago.
Now, granted the security bug I reported is actually very difficult to exploit and do anything actually useful with. Basically, if you used XMLHttpRequests in Safari and requested a URL ending with a newline, it would end up in the final HTTP request as double newlines. I.e. the HTTP header would be terminated prematurely (before the Host: header, significantly) and thereby allow javascript to access files hosted on the default website on the same server the javascript was served from. For example, if victim.example.com is served on the same IP address as evil.example.com - javascript on evil.example.com could use this to request files on victim.example.com.
In other words - you could do cross-site-scripting targetting another web site served on the same IP address as the web site hosting the exploit.
Still, took them about 6 months to patch it and actually roll it out an update, it seems. Heh.
Eil,
This post so wonderfully parallells current political developments in Sweden that I had to re-post it on my blog for more people to read.
Link to blog post (in Swedish -- at least the parts you didn't write :-))
Mostly incomprehensible automatic Google translation
Thanks for taking the time to write your comment.
I just read the draft. That has got to be one of the more awesome hacky ideas I've read about this year.
Thanks for sharing!
Running your web sites on non-standard ports is a great way for your web site not to be accessible to users accessing the internet through firewalls that limit egress traffic based on TCP destination ports.
Actually, this isn't as bad an idea as you might think.
Consider what Adobe's goal in all this is. They want to be able to stream an entire video to your computer, in anticipation that you will pay for it. They could conceivably do this by transmitting the video to the presumptive buyer encrypted. At purchase, Adobe's servers would transmit the decryption key.
Now, true, this won't do anything to stop anybody from copying the video *after* it's been paid for. But in this particular case, encryption technology *can* be used to solve the particular problem of being able to pre-stream video content to a potential buyer without allowing him to view the material, in a cryptographically sound way.
I'm not sure if this would fit under the traditional definition of DRM though -- after all, the scheme I propose is cryptographically sound. :-P
Thank you for agreeing with me. :-)
Apps isn't the whole story. If it were, Mac OS X would be even bigger than it is today.
I beg to differ. The attitude of "what have you done for me lately" isn't bullshit.
In most lines of work, you do your work that you're paid to do, get your paycheck and that's all the compensation you'll ever get or should get. You don't expect to be paid throughout the endurance of said work. Imagine turning up at a former place of work in say 10 years and telling them, "hey, I see you're still using that data center I designed for you 10 years ago, give me more money", you'd be laughed out of there.
Now, the current model of selling music recordings doesn't quite work like that. You record your music, then you sell it hoping to get some or all of that money back. Even make a profit if you're lucky.
Finally, just because there's a market for nostalgia doesn't mean that copyrights should automatically span so that artists can cash in on it. What you'd call nostalgia, I'd call history, or cultural heritage, and should not be locked up to be only sold on the whim of the copyright holder.
I guess the difference between us is not one of principle, but of degree. You want something like 25 years. I want something closer to 5 years, and to make clear that copyright protection preventing duplication should only cover *commercial* duplication of said work. Older works are valuable, yes. That's precisely why commercial distribution of such works shouldn't be bottled up longer than neccessary. 5 years is plenty of time to have a monopoly on a work, to have an opportunity to turn a profit on it.
You grow out of being a certain age, you don't grow out of being a nigger.
I would strongly disagree that explicitly legalizing noncommercial reproduction of copyrighted works is "ripping out the heart of the Berne convention and pissing on it" as you so colourfully put it. If you want to talk about the heart of the principle of copyright or the Berne convention, you have to go back to the time where the means of duplication of recordings was a tool of power wielded by the few. The original intent of copyright is to prevent profiteering of other people's work, not to stop noncommercial exchange of such recordings. The current incarnation dates back to 1971 -- where nobody could ever dream of an information paradigm shift as significant as the Gutenberg printing press -- the Internet. Nobody wants a society where an author toils away at a work, only to have it stolen from him and sold. Such rights of commercial exploitation by the author should be respected and preserved.
As you say, the US copyright law has a four factor test to determine what is and what isn't fair use in the eyes of US law. That in itself sets precedent -- the determination of what is and what isn't fair use (setting criterion to implement a possible definition of fair use) is a determination to be made not by treaty, but by national laws.
Finally, I would agree with your point that treaties are just words on a paper in the end if somebody disagrees with them. The point was to defuse the argument that the Berne convention does not allow for such reform to take place. It does. You could make the point that it doesn't really matter in the end though, since if the other parties to the convention decide they don't like how you interpret the convention, the treaty is just as little worth as if it had been broken by Sweden first.
That explicitly permits a member of the European Union to permit noncommercial reproduction of copyrighted materials. What is "fair compensation" is determinable by individual member states.
Also, with regard to the Berne convention, it plainly states that exceptions to restrictions of reproduction can be made if "such reproduction does not conflict with a normal exploitation of the work and does not unreasonably prejudice the legitimate interests of the author." It simply doesn't get any more plainly open to interpretation than that. No words are being twisted here.
Not to mention Håkan Lans, the inventor of a key technology used in colour computer graphics among other things, for all the good the patent system did him.
The Berne convention leaves a lot open to interpretation.
Rick Falkvinge (the leader of the Swedish Pirate Party) has written a great analysis of this on his blog -- unfortunately it's in Swedish
Rick Falkvinge: Sverige kan legalisera fildelning imorgon
There are a lot of nice quotes from various treaties that show just how much flexibility a signatory to a treaty is -- some of them in English.
Hey, you have plenty of smart forward-thinking people over there in the US too. The fact that a dozen or so of our MP:s (in the party who have traditionally been one of the most staunch defenders of the copyright status quo) have finally gathered together enough courage to break from the herd on this issue doesn't mean anything will necessarily happen any time soon. They're still a minority.
The most depressing part is that, as far as I've seen, this has been a completely mono-partisan move by dissident members of parliament belonging to our moderate/conservative party, who are currently the major part of the incumbent coalition in our government. Our so-called opposition is too busy to oppose the incumbent coalition on any and all issues to be seen allying themselves with a group of members of the Moderate party, even a breakaway faction.
You could take a snapshot with a cell camera today, but there's no way to prove that was the actual vote you cast. If no other ballot papers actually exist -- well -- then it would be possible.
There's generally not much wrong with paper voting, as long as the process is totally transparent, but there are a few ways you can cheat with paper voting, but generally it's a pretty good system.
:-)
There are a lot of smart people asking -- how can we make electronic voting as good as traditional voting with slips of paper? What if that's the wrong question? What if instead, paper voting could be made *better* with the advent of electronic technology?
There was an article a week or so back describing some place printing ballots on demand. What if paper ballots were printed on demand, but the people printing them are the voters? A machine could be hooked up to print a ballot when a voter presses the correct buttons, and would only print out one ballot per voter. The ballots themselves would also have a barcode on them with a code certifying which machine printed them. The printers would count how many ballots were printed, and if that number doesn't match the number counted, that'd signify a problem -- either the machines were tampered with, or the physical ballots.
Now, that'd still make it possible to print excessive ballots from a printer, but then the number of votes wouldn't match the number of voters, and thus, number of votes cast.
To fix that, you could use some kind of public key cryptography system. In order to vote, you are sent a voter registration card, which contains a single-use private key on a 2D-barcode, which in turn is signed by whatever authority compiles the eligible voters list. That private key in turn is used to sign a message that simply says "I voted" and nothing else. That would eliminate the possibility of faking lists of who voted, except if the private key itself was falsified to start with, or if multiple such keys were assigned per person.
But that's okay. Now there are only three possible attack vectors (that I can think of) -- key falsification (only possible if you're part of the authority that issues voter identities), key theft (possible if you rifle through the mail of whoever's identity you want to steal), and vote changing (would require tampering both with voting machines *and* with paper ballots).
The key theft threat can be mitigated by rigorous identity checks -- posession of the proper private key should not be sufficient to vote -- some kind of ID should also be neccessary, and the key falsification threat can be minimized by *very* rigorous inspection of whatever authority issues said keys, and the vote changing scenario is made more difficult than it used to be.
Now, such a system would probably never be implemented due to cost concerns. But it'd probably be better than the paper voting we have today, and it wouldn't break the secret ballot, nor would it make the system less transparent. It'd basically be the old system with a parallell electronic system to ensure whoever counts the paper ballots are honest. There are probably other flaws too, I don't know.
Bear with me, I haven't actually worked with Token Ring networks, but from what I seem to remember from a networking course I once took -- Token Ring is an implementation of the physical and data link layer. That leads me to believe there's nothing preventing you from running TCP/IP over Token Ring. For all I know, my IP traffic may be traversing some Token Ring networks on my way to posting this. (I seriously doubt it though.) IP is IP after all. :-)
Does anybody know whether it's going to be compatible with RFC 3251 Electricity over IP?
Anybody wanting to develop a smart electricity grid should take a look at that document, includes lots of information about hazardous voltage drops and other pitfalls that can be avoided.
What you're saying is akin to, "murder must be legal, since being murdered is legal, and for somebody to be murdered, somebody must be doing the murdering".
One possible rationale behind laws that say downloading is illegal while uploading isn't, is that there is no practical way for somebody who is merely using a network download can possibly know whether the copyright holder has authorised such distribution. For all you know, the downloads may be sanctioned.
However, when making a file available, you're expected to clear it with the copyright holder. On some level this makes sense, as long as you think along the lines of traditional producer->distributor->consumer lines, and expect normal people to be passive consumers.
The fact that the Internet doesn't actually universally work that way any more, however, has changed the balance. Everybody's uploading and downloading these days, often uploading and downloading the same file simultaneously.
To apply the same logic to modern peer to peer technology, you'd have to change the distinction from uploader and downloader, to a distinction between the person who ripped, encoded, and put the first copy online in the first place, and everybody else. That would effectively decriminalize peer to peer file sharing, although files would still enter the system illegally. Once they're in the system, they'd effectively be fair game though.
I'd prefer the changes to go a bit further myself. Non-commercial copyright infringement should be downright legalized. The copyright system was conceived in the age of the printing press being an instrument of power in the hands of relatively few people -- not a society where practically everybody has access to a global information and media exchange network -- an own personal printing press if you may.
I'd guess it's inconvenient because of the added compexity another set of wires running through the house...
Also. how do you run typical modern electronics at 48 Volt anyway? Most integrated circuits seem to operate nicely at voltages close to 5 Volt, so you'd need to step the voltage down anyway somehow... and converting AC/AC is easier than converting AC/DC.
Well... with the widespread usage of switching AC/DC wall warts -- at least converting AC/DC is no harder than converting 48VDC/DC.
The reason faster drives aren't made now, from what I've heard, is that the actual discs can't handle the centrifugal stresses and shatter as such high speeds.
Yes, in theory. But why does any reasonable user need that much power?
I'm genuinely curious. What *is* it that drives the demand for power supplies that can source that much power? I run a home file server (a crappy Pentium II -- 266 MHz, yay) with 7 hard drives stuck in it off a rather wimpy power supply -- almost certainly no more than 350 W -- probably closer to 250 W. (Not sure what it is, and I can't be arsed to go check.)
What kind of laptop do you have that uses 3.5" drives? :-)
There isn't really any controversy over whether the Americans went to the moon. Pretty much every single claim that they didn't has been convincingly debunked. And if the conspiracy theorists don't believe those debunkings -- do you really think they are going to believe some images from an unmanned Japanese space probe?