As much as I love the EFF, having attended the trial I can see why we lost:
They said their stuff was stolen. We argued that we should be able to get away with it.
"Their secret wasn't protected enough" "They waited too long" "They knew it'd be broken" "They don't know for sure we got it from Xing" "Maybe they don't really have the right to sue us!"
Note, we didn't argue some greater good that is served by the taking, nor the harm implied by enforcing a unilateral license agreement upon a captive audience. We didn't claim they had no right to deprive us of rights, hell, we didn't claim a single right at all. This is coming out a hell of alot more bitter than it should, but I think this loss will make us stronger in the long run.
They proved they lost something. We tried to prove...something. I'm not sure.
Here's my summarization of the plaintiff's case. I'm not going to continue this document, but rather work on something completely different--something that directly addresses just exactly what the DVD CCA is trying to take away from us.
I'll be honest: I'm not happy with the way this turned out, and if I wasn't so crammed for time(I literally just secured long term housing for myself around 20 hours ago), I wouldn't even post this. But C'est La Vie.
=====
DVD Redux: The Plaintiff's Complaints ===================================== A Courtroom Analysis by Dan Kaminsky effugas@best.com http://www.doxpara.com
After receiving a rude awakening from the Linux community--and, make no mistake, it's us they're fighting--the DVD Copy Control Association today stepped up their efforts to restrict the further release of the codes necessary to play a CSS-encoded DVD disc. Last time, they walked into court with the presumption of victory on their lips. This time, they fought with far more intensity. But with far more time to prepare, so did we.
As of the writing of this summary, it remains to be seen who will prevail.
For sheer lack of time(and because I have no idea if anyone wants me to finish), I will restrict my analysis to the opening case of the plaintiffs.
The plaintiff's case seemed dedicated to addressing the wounds it received at the TRO(Temporary Restraining Order) hearing. Extensive evidence was offered justifying the claim that the DeCSS code was derived from Xing--a fact not extensively challenged online, but a core doubt raised by the defense at the TRO hearing. Posts on Slashdot were quoted *heavily* by the plaintiffs as an attempt to prove that the Linux community was on notice that it would be illegal to decrypt the video stream.
Yes, this means that Ye Olde Anonymous Coward has been entered into the court record. Numerous comments from many parties to that discussion, including AC's, that contradicted the plaintiff's case and notified developers of their rights to reverse engineer were however conveniently ignored by the plaintiff. Such examples of distorted reality propped up all throughout the hearing; quite annoying, to say the least.
At this point, the Plaintiff's case turned truly bizarre. While the DVD CCA fell over itself to say it wasn't actually invoking the Digital Millenium Copyright Act, which may only be invoked in federal court, it made arguments under the act as a means to express and provide a perspective upon the Public Policy of the United States of America and, indeed, the 171 signing nations of the WIPO treaty. The relevance, argued the plaintiffs, was that since California's Uniform Trade Secret Act spoke of improprietity and not unlawfulness, the established public policy of the country should be used as the standard of what is proper and what isn't.
I must admit, I wasn't aware that playing a DVD qualified as a particularly unamerican activity. It might explain the civil disobedience campaigns(tshirts/contests) that the plaintiffs were so utterly disturbed by, however. Anyway, one wonders about the public policy the courts are supposed to apply when there's absolute consensus outside of Hollywood that individuals should be able to A) Play their own videos, B) Sell their own CDs, and C) Record their own TV Shows while still remaining good, patriotic Americans.
The case then moved into the International realm. Much noise has been made of the fact that reverse engineering of this type is generally quite legal in Norway, and indeed Europe as a whole. Both sides presented experts on the topic; needless to say, the opinions were not identical. pretty much claiming their expert made a more convincing argument than our expert. The plaintiff's expert, a Norwegian lawyer, claimed that the general law prohibiting unauthorized access to another individual's property, and particularly another person's data, should be applied in this case. On its face, this seems rather strange, since this case is about preventing a person from accessing data contained within their own physical property--the lawfully purchased DVD disc. But that's just my opinion.
The defendant's expert, claimed the plaintiff, was far more circumspect and wishy-washy, saying in effect that it could go either way and that the issue was undecided in norwegian courts. Since the plaintiff's answer was definitive and the defendant's answer was less so, the former ought to be considered more valid than the latter.
Returning to the core facts of the case, the plaintiffs reasonably argued that of all the defendants, none had provided an alternative source of the data aside from the Xing rip. Furthermore, the applicable law stated that prevention of *further* disclosure of a fact discovered after the usage to be a trade secret was an acceptable remedy, and since they weren't suing for anything more than such restraint(no damages, real or punitive), an injunction would specify the exact relief the law provided for. Since the defendants were on notice anyway, by both the passage of the DMCA and through "pervasive Slashdot discussions", this wouldn't be a surprising or inappropriate occurance.
Next, the plaintiff's primary counsel addressed the Linux interoperability argument. Given that a Linux developer would be willing to accept the arguably onerous terms of the CSS license(among which is that no imported DVDs may be playable, and that the source code be heavily closed and encrypted), the DVD CSS would be more than happy, he argued, to provide legal access for Linux users to play DVDs. Since IBM and Intel are both heavily invested in Linux, they argued, the means exists for a Linux DVD license to be signed.
The plaintiffs then trotted out the obligatory Coca Cola example: McDonalds sells Coke products, but Burger King only sells Pepsi. Just because you want Coke at Burger King, doesn't mean you get to steal the syrup off the truck, or break into Coca Cola headquarters and steal the formula. (I was unaware any DVDs had been stolen at gunpoint from UPS, or that Eric S. Raymond had led a crack commando team into the heart of Santa Clara for Operation LiViD-By-Any-Means-Necessary.) Because of this willingness, stealing the trade secret could not constitute appropriate self-help under the exceptions granted for interoperability. Sony's successes against the emulation community were raised, and the point that there was no fair use of trade secrets was made.
At that point, a new attorney for the plaintiff came up and began arguing against the EFF's extensive 1st amendment case. The EFF pointed out that the DVD CCA is seeking prior restraint against news sources(Slashdot itself is a named party), and that people merely want their traditional free speech rights to be enforced. Three responses were made: First, that the theft of trade secrets does not constitute a traditional usage of free speech rights. Second, that the defendants were not news sites(Slashdot?), and even if they were, they still couldn't post trade secrets. Finally, that the posting went beyond discussion--actual code was either directly there or being linked to.
The plaintiffs provided an example of what they'd like the judge to rule. It'd be acceptable to them for the San Jose Mercury News to provide commentary and analysis on the topic of the DVD decryption system, but to actually publish or link to the broken system would be a violation of trade secret law in their eyes. (As the defense later noted, such a linking has already taken place.)
In an interesting move, the plaintiffs used the Bernstein precedent that code is a form of speech to defend their position: The government was trying to suppress Bernstein's publication of his own encryption code. This is about a judge suppressing 200 John Doe's republication of someone else's encryption code. Of course, that implies that the code being republished was, in fact, someone elses--an access key does not a software product make, particularly when, as Sega v. Accolade decided, stripping the access key from a piece of software is the necessary to make other software interoperable.
The plaintiffs are continuing to attack even mere linkers--the whole concept of "instant access" to infringing sites scares the DVD CCA. One would think that the downsides of implicating the New York Times(as the defense pointed out) would override the advantages of a bit more protection against spurious links, but perhaps the DVD CCA sees things differently.
One thing the DVD CCA took particular offense to was the claim that the defendants were, in fact, helping them out by exposing the weakness of their system. They rather reasonably noted that, if the defendants were looking to help the CCA out, they could have sent an email, perhaps a real letter. Selling T-Shirts and running contests wasn't helpful.
On a sad note, the plaintiff's case concluded with some of the more vitriolic fear mongering and inappropriate references I have seen in quite some time. Beginning by claiming that the defense was trying to dismantle the entire IP system, massive(and rather irrelevant) hacks against military bases funneled through stolen Pac Bell internet account information, as well as the recent CDUniverse credit card scandal, were brought up as what could only be termed as character assassination against the "hackers" of the defense. Then, with the size of the DVD industry paraded in front of the judge as the sole reference to the irreperable economic damage that DeCSS and Linux players must surely create, the plaintiff made the entirely valid point that while the hacker community has embraced DeCSS, LiViD, and other CSS cracking systems, the mainstream has not yet adopted such tools. But what of the harms, should a mainstream that fought bitterly against record "spoiler systems" and has spent the last twenty years making audio mix tapes using their cassette recorders?
The direct harms that the DVD association brought to bear were summed up in a quote, in which it was stated that without legally backed copy protection, no media format(such as DVD Audio) could ever be good enough for Hollywood. And perhaps this is true. Manufacturing costs, the splurge of spending that accompanies repurchasing of previously owned content, now New And Improved, maybe even the profits from the conflicted interest consumer electronics divisions(Sony) just wouldn't be enough. Without the ability to technologically mandate what the courts would never accept--government enforced regional sale restrictions, arbitrary demands on DVD player manufacturers, a ban on personal backups and "mix DVDs"--perhaps we'd never see the big studios agree to new formats.
Oh well, I'm off to go play an 8-Track and catch some sleep, secure that they'll never give me a better quality music format for me to play with...
More next time, if you like.
Yours Truly,
Dan Kaminsky DoxPara Research http://www.doxpara.com
AOL has *always* taken over your IP configuration whenever you connect, or at least it has since AOL 3.0. I figured this out a few years ago, when I realized that this one girl I was troubleshooting(heh) over ICQ had somehow managed to appear on an IP address far, far outside our dorm network.
AOL doesn't trust *anyone's* code--they put a custom VPN style interface into every windows machine they're shoved into. (This is that "AOL Adapter" thing.)
Incidentally, AOL makes for quite an excellent covert channel--high bandwidth expectation, protocol unhandled by most sniffers(as far as I know), and a Linux client. Never, ever allow AOL access out of your corporate firewalls:-)
This latest behavior *does* seem rather insane. They're basically uninstalling the software of other companies--that's far and away beyond the expectations of the user doing the installation! That exceeds the implied contract, and has all *sorts* of problems with sheer fraud--what if AT&T phone service automagically prevented Sprint from calling you with a lower rate? What if NBC sent hidden signals to your television station removing CBS and ABC from your channel listings? (Yes, I'm noticing the irony with the recent CBS brouhaha.) Hell, what if putting in a demo for Quake 3, Unreal Tournament was wiped from your hard drive?
Lets expand on that: There'd be a significant amount of anger if Id Software sold a "competitive upgrade" for Unreal Tournament at a reduced cost that left UT unplayable, but even that would pale to the rage if the user wasn't warned prior to purchase or even installation that installing one game would remove its competitor.
In the name of simplicity, that's what AOL is pulling.
And what about the privacy implications? After all, half of privacy is the ability to sequester oneself in a private domain. (All "explicit privation" methods fall in this category, from locking one's door to calling someone on a pay phone.) AOL's behavior intentionally removes the options of accessing a private domain, requiring intentional and difficult re-enabling of those alternate ISPs.
Not good. Not good at all.
Yours Truly,
Dan Kaminsky DoxPara Research http://www.doxpara.com
Everyone likes to talk about Denial of Service attacks through packet spoofing, twisted fragments, etc...
Perhaps the MPAA is teaching us about attacking not the technical but the administrative infrastructure!
Think about it: Spoof an email from a major law firm, claim that a certain individual has been writing harassing emails from a given account, attach utterly forged harassing emails, and watch the target account get dropped like a rock.
Do that to the phone company, you'll get ignored. Do that do a small ISP, you'll *still* get ignored. But do that to any ISP with a division between engineers and management, and your target is toast.
Thanks, MPAA! You've just taught me a beautiful new technique for denying internet service to targets who talk about things I don't want to hear about. I guess you're just the greatest hackers of all.
Yours Truly,
Dan Kaminsky DoxPara Research http://www.doxpara.com
As art imitates life, life imitates art. We're watching what may very well be the most interestingly designed media campaign of the last few years--certainly the most intentionally mysterious, curiously designed, creatively leaked(certainly the most...effectively subversive use of the US Patent Office) company the computer industry has ever seen.
Twenty minutes, and the gloves come off. They've had years to prepare for this; now we get to see if the computer industry gets its first proper launch.
No more delays. No more promises. The most carefully marketed R&D house in Silicon Valley is about to open their doors--it'll be intriguing to see if they're as skillful on the open scene, under attack by the whispering galleries of competitors.
Hiring Linus was genius--you couldn't buy a more devoted audience.
Yours Truly,
Dan Kaminsky DoxPara Research http://www.doxpara.com
Yup. The net is secure enough for billions of dollars of e-commerce, but not for voting. Here's why:
Fraud on the financial level is easy to detect--somebody is out their money. Someone either has their goods or has their money, and either they have both or they have neither. There's a long paper trail, with *individual* impact on only the two parties involved in the financial transaction.
Fraud on the voting level is so much different, it's scary. Your computer says, "Ah! Vote registered for Mr. Bob", that's it. You're out no money, you've lost nothing if your desktop has been secretly tampered with, there's no paper trail that you're going to have any reason to analyze because you're not going to know anything went wrong. Lets not forget, with nothing written down, there's no physical evidence of the original votes--how can one demand a recount when the servers store the votes? Once the data enters the server, all sorts of unique WORM/cascading signature/etc. methodologies can be applied, but it's gotta get there.
The most insidious part of all of this is that it's not simply the voter that loses out by a falsified vote, but society as a whole. Votes affect everyone; financial deals are limited to those directly transacting.
Maybe something like iButtons, or Amex's Blue might go along way towards increasing my faith in online voting. For now, I just don't think the tech is there for something so critical.
Yours Truly,
Dan Kaminsky DoxPara Research http://www.doxpara.com
And they do have the right to control what formats the content they produce is distributed on. "Fair use" is for quoting and limited reproduction, not redistribution of the entire body of material.
So AvantGo, which converts websites(in as much detail as you like) to a lower quality, Palmpilot-viewable form is unfair use in your book?
Hell, what about recorders? They downshift a high quality NTSC signal to a degraded--but still viewable--form for extended storage. Sony v. Universal was pretty clear that this was OK. RIAA v. Diamond even went so far as to establish the right to space shift--I have a 10GB hard drive, and with transcoding I could probably put a half dozen movies onto my 2.5inch platters. Give me a minidisc size device with a 10gb hard drive and eyeglass displays, and suddenly I can carry a small chunk of my movie library in my pocket.
Who is the movie industry to tell me that I can't do that?
Yours Truly,
Dan Kaminsky DoxPara Research http://www.doxpara.com
All human transactions include built in presumptions about the status of each interaction--in plain english, there's alot about what we get from eachother that we just sort of "assume".
Contracts generally exist to clarify assumptions, not introduce utterly unexpected clauses--for example, a parking lot *can* disclaim liability for random damage caused to your car, but *can't* make the claim that exceeding one hour parking causes ownership of the car to transfer to them.
Contracts reflect the surrounding legal environment; they rarely completely rewrite it. The leeway granted on contract negotiations appears to usually be connected to the equivalent levels of power between the two negotiating bodies--the less legal force one party has in relation to another, the more the validity of the underlying contract is controlled by the legal environment. (Thus, the recent dismissal of an employee's noncompete clause which stated they couldn't work for a year in the same industry--this would have destroyed the employee but done no harm to the employer, thus the judge declined to enforce.)
This applies directly to the re-editing of video streams in that there's a presumption by the viewer that what they are seeing is a representation of the facts. The yellow first down line represents a fact that is in conceptual existence but lacks physical representation. This is a use of the technology to aid comprehension. However, the surreptitious modification of video streams to replace advertising and/or objectionable content is different--there is no underlying shared context being expressed, rather the value that the viewer places in what they see within in a given scene is redirected towards whatever the production crew desires.
Now, it obvious that the production crew can decide the backdrop as a whole--indeed, computer generated news desks are not entirely rare. But they're represented as such, and come replete with their own credibility wins and losses. Similarly, a correspondant appearing to report from the Middle East is spawning the presumption that, "They must know what they're talking about because they're actually there when I'm sitting on my couch *here*".
We attach value and credibility to the backdrop of any news report--even the simple tagline for an AP Newswire story gives the location of the author(if not his or her name).
To replace advertising, or any content in a non-obvious manner(pixelation of objectionable content is obvious, and explicitly changes the context of the display) is to borrow the credibility one holds for an environment and secretly sell it to the highest bidder.
That's not fair, and not even a 1.5 second blurb at the beginning of a broadcast can escape that fact. It's lying to the customer. That's not fair. Show some kids a walking, talking, thinking Teddy Ruxpin bear, and when they grow up provide them invisibly manipulated cities and scenes to believe in?
Hell, at least they're consistent.
Yours Truly,
Dan Kaminsky DoxPara Research http://www.doxpara.com
We pretty much impressed everyone there at the TRO hearing--I'm dead serious, I don't think the staff at the courthouse had ever experienced such a courteous crowd. Bruce Perens had alot to do with this, as he guided us as a mass quite effectively, but everyone there deserves credit for giving the Linux community a good name.
In comparison, the plaintiffs pretty much walked in there like they owned the place, made arguments which were essentially "Not only did these guys post the code, but they were really really mean about it and made fun of us!", and talked about the hundreds of thousands of jobs the movie industry creates. There may have been less of them, but guess which group was more civil?
Yours Truly,
Dan Kaminsky DoxPara Research http://www.doxpara.com
I must admit, I'm not particularly optimistic about you receiving this question, but I feel the question deserves at least the opportunity to be asked:
Do you feel there is, at times, an inappropriate tendancy to assign properties to the universe for no other reason but that specific equations proven on a lower end of inputs will show "amazing results" on a higher range of inputs?
Call it false linearization if you like--the best example I've heard of this came from Bill Gascoyne:
A cautionary thought on the dangers of extrapolation.
It is reported that in 1977 there were 37 Elvis impersonators in the world. In 1993 there were 48,000. At this rate, by the year 2010 one out of every three people in the world will be an Elvis impersonator.
While I'm assuredly not qualified to mention specific examples of what I might feel qualifies as inappropriately applied mathematics, I'd be interested in hearing your perspective on the commonality of this type of error.
Yours Truly,
Dan Kaminsky DoxPara Research http://www.doxpara.com
Over the last couple of years, we've seen a parade of technologies trotted out as a sign of the death of the PC--everything from the Network Computer to "Web Everywhere" style initiatives.
But the PC hasn't gone anywhere. Alot of this can probably be attributed to its flexibility in adjusting to changing market demands, for example, the emasculation of per system cost(the former NC trump card).
Thus my question: PCs can change rather drastically over very little time; that much is clear. What form do you see the coming changes taking, and what effects do you see from these changes upon both Linux and the Computer Industry tendancy to go into Death Watch Hypefests over the future of the PC?
Yours Truly,
Dan Kaminsky DoxPara Research http://www.doxpara.com
Around the time of the Star Wars Sorenson Compressed Trailer, one of the major Linux video player authors requested access to the Sorenson codec to play that trailer. Reports were that Apple refused to give the coder access to the codec.
Go look back through Slashdot archives--I read it here.
Yours Truly, Dan Kaminsky DoxPara Research http://www.doxpara.com
Please don't think of ER as an accurate portrayal of life in a hospital emergency room. Most doctors I know either can't stand to watch the show or watch it only to get a good laugh
I think tech life could be edited down to a rather crazy hour, just like I'm sure every episode of ER pretty much contains the craziness of an entire month crammed into the timespan of a few minutes. C'mon, like "pre-IPO", college interns, managers, mad scientists(me), and various forms of firefighting couldn't be at least moderately interesting.
Remember, it wouldn't be so much about the tech, but the people behind the way the tech dies, and the methods by which other people spur into action to recover the systems.
Then again, Law and Order is an amazing show *because* it focuses on the law, not the people...
Yours Truly,
Dan Kaminsky DoxPara Research http://www.doxpara.com
MOV? All the pain of an AVI, with free delays while you deny Apple their cut. From the guys who killed Firewire...
Ugh. [Dan slaps himself around a bit.]
Firewire's launch has been botched--there's no other way to describe the bottom line that having one company call something Firewire while another calls it I-Link while others refer to an IEEE standard is just bad marketing sense that I'm sure some licensing scheme brought about.
Too bad, too, because besides simply having the most awesome interface name of the last twenty years, Firewire pretty much is one of the more perfect external interfaces imaginable--though I don't think they've done the security wrangling that the SIO guys are doing. For those who don't understand security considerations of one bus uniting all devices, imagine the concept of a rootmouse that once plugged in issues calls directly to the hard drive retrieving critical files, all independant of the underlying operating system. That's the kind of worry you just don't have when your mouse is hanging off a 9600 bps UART.
But overall, saying something like this was pretty much flamebait. Off hand, unsubstantiated, assuming that the rest of the audience took as obvious fact what is really a rather contentious issue--these are all things that pretty much guarantee you're gonna fuck something up, and as *ahem* numerous AC's felt free to "adjust my perspective", I fucked something up.
There's very likely a good deal of hype streaming out of Intel against Firewire, and I fell right for it. Damnit.
I was pretty exhausted when I wrote this post, but that's not really an excuse. I don't usually ask for moderation, but if someone wouldn't mind tossing a few points on this apology post, it might quell the flamage:-)
Sorry, all.
Yours Truly,
Dan Kaminsky DoxPara Research http://www.doxpara.com
P.S. Couple of you AC's expressed a problem with my writing in general? Email me, if you're not afraid of revealing yourself.
There's nothing stopping you from using a different player (IIRC, both Cisco's IP/TV and the Java Media Framework come with QuickTime-compatible players).
I wasn't aware that IP/TV could parse QT-headered information. Very cool.
This is one of the things I generally like I about Slashdot--chunks of knowledge that aren't composed of out-and-out flamage. You'd think I posted that people's mothers were spawns of satan or something.
One thing I've begun to take very strong issue with is the presumption that it's acceptable to have a fleet of codecs required to play any single media file, with all the codecs wrapped in a single consistent wrapper(Quicktime/AVI wrapping Cinepak, Sorenson, MPEG-1, MPEG-2, AC-3, MP3, Metavoice, etc.) SDMI is planning to use this method, with the idea that "if one company's system is broken, there will still be 19 left."
Talking about an open source streaming solution is empty without talking about the underlying protocol--hell, I've got an open source streamer right here(cat mystream.mpg | nc -l -p 5000). What? You want to use a custom UDP based architecture without any of that annoying Flow Control(poof goes the net;-) and the ability to drop packets in favor of resyncing the media stream? Well, now you need to talk about the underlying format, now dontcha;-)
Experience has taught us that, even on the most compatible platform--I'll calm the flame war by not saying its name--so called "wrapping" architectures fail miserably with surprising regularity. Sure, Quicktime as a format is open, but Sorenson has gone on the record--no compatibility for Linux. Oops, now we ain't gonna be able to watch the Star Wars Preview...gotta go get a closed platform for that.
Yours Truly,
Dan Kaminsky DoxPara Research http://www.doxpara.com
P.S. What the *hell* was I doing posting as sleep deprived as I was last night...I don't think I've ever woken up to as much of a Slashdot mess as I have tonight;-) Mea culpa, tryin' to recover here!
Yes, I know. They tried to charge too much at first. They backed off, and now it's a big 25 cents!
Wow.
They started off with a dollar a port, which would have made adding Firewire connectivity one of the most expensive parts of any system. They knew they had a great technology and--guess what--they blew it.
The quarter license came too little, way too late, and now we're saddled with the horribly overstressed USB architecture.
The general idea is that Apple would have made much more money actually selling video editing macs rather than talking about it for years on end and finally making a lone stand w/ Sony on the joys of home video editing. I'm sure the two companies, who thanks to apple couldn't even share the Firewire name(Is it Firewire? Is it i-Link? Is it IEEE-Gevalt), did pretty well. But that just can't compare to how much business they might have done if home video editing was The Big Thing. It could have been, if Apple hadn't been so stubborn. They could have guided the evolution of the industry in more ways than just blue plastic.
Oh wait. Why am I responding to flamebait?
Uhm, I don't know. Anyone who speaks kritikally of Apple is suddenly posting flamebait?
Yours Truly,
Dan Kaminsky DoxPara Research http://www.doxpara.com
QT streaming server can serve any codec -- it doesn't really care what it is. Likewise, the quicktime player will play multiple codecs, including MP3 and mpeg2.
We have not even begun to get confused. You've actually got more than just "the server" and "the codec" involved--you've also got the "wrapping architecture around the codec" to deal with. Does QT Server stream not only Quicktime Encoded MPEG-1 streams, but also data that conforms to the standard *.MPG file format? It may! It may not! The general theme though is that while the QT player might be able to handle that variant of.MPG, no other player can, so you're stuck with Apple's ad, and inevitable lack of functionality.
I'm not crazy--there's a definite chance that this software plays nicely with whatever you throw at it. But it's honestly not a hard problem to stream MPEG, and it's generally just not a good idea to stream video when nobody has enough bandwidth to get an acceptable level of service.
Lots of companies with large amounts of money invested in overly complicated streaming systems will complain, but there's a real bottom line:
The standard video format is MPG, because MPG Just Works. Everywhere.
AVI has failed. The general perception of an AVI file is one that might play, might not, might suddenly install a new codec, might not, who knows. No predictability.
MOV? All the pain of an AVI, with free delays while you deny Apple their cut. From the guys who killed Firewire...
RM. Realmedia ain't bad, but it just doesn't scale up too well. There's this common delusion that only people with broadband links should be able to view high quality video--in this paradigm, RealMedia can do OK, since relatively few people have consistently extreme high bandwidth links to the Net. But, ya know what? This paradigm leaves millions of people unable to view high quality video, except on television.
Presume people can download clips and watch them later, and suddenly the stream-biased, bandwidth-capped format that is RealMedia suddenly looks stale and chunky.
The bottom line, beyond quality issues, is that MPG has won for the same reason MP3 did: It Works. All the various copyright protection systems are obsessed with creating situations where the consumer tries to do something and It Doesn't Work. As I'm sure the consumer trials are showing, when Things Don't Work, consumers simply refuse to buy in. And that's the key--the investors may fund, the studios may create, but it's the consumer that pays for it all.
MPG may not be a low bandwidth streaming format, by any means, but the general obsession of streaming--and streaming only--is short sighted at best, and suicidal at worst. It will be interesting to see how this pans out over the next few months.
See y'all at the DVD trial...
Yours Truly,
Dan Kaminsky DoxPara Research http://www.doxpara.com
For years, I've been wondering when us geeks would have a TV series of our own--one that, sorta like ER, gave an honest(and patently ridiculous--considering the manic depressiveness of the tech lottery^H^H^H^H^H^H^Hstock market) view of life in the ultra fast lane.
I hear Po Bronson was working on a show like this, but seeing these action figures, one has to wonder if a...younger, more malleable audience could be coaxed into Microsoft Hero Worship.
Geek Intern Joe. Oi.
This actually becomes much more interesting when you consider that most of the cartoons from the early 80's were entirely funded by toy manufacturers, not by the advertisers that ran commercials during the show. The show itself advertised the toy product--and oh boy, did we eat it up.
Yeah. I could see that kind of tactic. I'm not saying that's what they had in mind--no, I actually think the action figures are pretty damn cool. I especially like the Kung Fu Grip of the female doll...about to be struck down by Suck's own Jihad Tux, of course;-)
Yours Truly,
Dan Kaminsky DoxPara Research http://www.doxpara.com
I greatly respect the engineering that went into this paper, but I think we're talking about a little bit of...oh, I don't know...when you've got a hammer, everything looks like a nail?
What's been discovered is a method of, independant of the file system and various configuration files, extracting a key based on the difference between that key and the surrounding ambient randomness.
Independant of the file system?
How, exactly, is the web server supposed to retrieve the private key without a file call? Perhaps it should reference a specific block on the hard drive, and read x bytes from that location? Oh, oops, now we've got a "big deal" of a security breach in our web server configuration files.
When I first read this, I had assumed they discovered a method by which the private key could be divined by remote interrogation of the server side provided challenge. That's not what they discovered. They found a way that, given a hard drive with every single file cataconcated together with no indexing system available, they could still find zones likely(but not guaranteed) to represent private keys.
Anyone here have a hard drive like that?
This is *cool*, from a geek sense. I appreciate the value of the research. But it's so far from a big deal, it's ridiculous. It's one thing to say that shared servers increase the risk of having your private key stolen--I'd *hope* that the keys of one customer are isolated from the owners of another--but this specific worry is just...inaccurate. Cool tech, but not something to have your blood pressure increase over.
Yours Truly,
Dan Kaminsky DoxPara Research http://www.doxpara.com
You'd think after the first 17 postings about that not being word, people would catch on. Guess not.
Gotta love the English language. Unlike, say, Spanish or French, there is no central committee which decides which words are valid and which ones aren't. While dictionaries and Trusted Newspapers take some of the responsiblity, the general rule is rather democratic: If enough individuals use a given word to represent a consistent concept, and if that word is not a homonym of a word with a slightly different(and more standardized) spelling(their/thier/there), that word is considered coined and valid.
Remember, it is not the purpose of a dictionary to create the language, only to reflect it.
Altavista shows 8,496 usages of the unique word "virii". At bare mininum, "virii" qualifies as an alternative, non misspelled variant of the word "viruses".
Don't play semantic games with me, AC;-)
Yours Truly,
Dan Kaminsky DoxPara Research http://www.doxpara.com
Some friends of mine just bought a Borg Cube style case--essentially something along the lines of two mid towers side by side, with some funky stuff done for mounting internally.
Oooh. Two mid towers.
Lots of cases I see down at Fry's are from manufacturers that got their hands on custom molded platic that looks just like Apple's new shtick.
Oooh. iMac.
C'mon! Granted, the Penguin Case is cool, but it's still just that: A case. Show me some real designs, something that makes my jaw drop and go "Wow, I can put an ATX motherboard in that!?!" What about stereo components--hide a CD-Rom drive under a retractable panel and voila, a computer that integrates with the entertainment system. (Yes, Gateway had a monster system like this a while back.) What about glass? Sony has a LCD monitor embedded within a classic desk photo glass enclosure. People, it's beautiful.
We've got tens of thousands of people out there with the technical skill to render three dimensional vistas that take your breath away, or a battered soldier's rusting weapon. Sony does not have a monopoly on new case forms, and neither does Apple. I want to see what is possible and place my computers in what is obviously not a knockoff. I like beige boxes, but there's more to desktop machines. I love my Toshiba Tecra, but I'd be lying if I didn't say the sheer elegance of Sony's entire laptop line didn't blow me away.
C'mon. We can do better. Lets try.
Yours Truly,
Dan Kaminsky DoxPara Research http://www.doxpara.com
"Please fasten your seatbelts, as we are presently experiencing turbulence as the result of excessive metaphor shear."
As much as I would absolutely love to fully envision the Net as a living, breathing organism...it isn't. There are aspects of biology that are appropriate, but I think it's fair to say that these researchers are presuming excessive organic/technical equivalence:
Technology is externally changed, quickly, and often within the same generation of machinery. Organics internally evolve, extremely slowly, and even then almost wholly reserve their changes for the next generation.
The fact that technology is externally changed means that there's no evolved internal consistency--the immune system must be explictly modified to support the new transplant. As biology and technology have shown us, spooging the new into the old is difficult work. The speed of modifications too is frightening--while it's obvious that the host systems change much faster in a technological environment, I'd be interested in knowing the genetic variation of attacking bacteria and virii vs. the command variation of attacking trojans and computer viruses.
The generational woes are the killer--it is impossible to establish the biological concept of a "homeostatic self" onto systems that never stay either frozen in the present or predictable in their growth towards any degree of future.
Now, granted: There are assuredly "all quiet" states on the average network, and recognizing such states is a common tactic of network monitoring systems. (Indeed, there's a free app out there that will generate a firewall config that will pass any traffic it noted on your network during a "trusted state" period, then block anything else.) But that's a rather blunt methodology, and denies the inevitable existance of new services. The big problem is: How does one respond to a deviation? The curse of unpredictability is the inability to automate appropriate responses. The curse of being forced to constantly formulate appropriate responses is that it's burdensome and prone to false positives. The curse of not formulating appropriate responses is that you end up not responding at all;-) All in all, a nasty situation.
I should be fair--I like what I'm hearing from these guys. I've been saying for quite a while that systems that prevent the results of an instability from being necessarily exploitable(essentially, randomizing and shuffling systems so that there is no predictable "skeleton key" to the system that works every time). Their talk about monocultures is perfectly appropriate here. IBMs work with victim labs is beautiful, if not more than a bit macabre if backwards ported to human biology. Even the packet signaturing is interesting. But we should be aware of the limitations of this technology, and I'm interested in just how aware these researchers are of the differences between the evolved and the created.
Yours Truly,
Dan Kaminsky DoxPara Research http://www.doxpara.com
Telecommuting is one of those fascinating aspects of life that one really has to sit down and think about for a second:
A) No commute? That's great! Except for the fact that you weren't being paid to commute in the first place, and that the time you commute is in excess of your original eight hour workday. So while you were losing hours of your time for work, it somehow got onto your "personal time".
B) Home conversion? Suddenly, work has far fewer square feet of space it requires to house its workers--they get some of the worker's home, for free! Maybe it's a room, maybe it's a bookshelf, maybe it's a desk, but there always ends up being one area of work controlled space. Again, this happens at the expense of the worker.
C) Predictable hours. Are people getting paid more to be available to check their email 24/7? It's one thing to stay at the office late, but you can only do this so much before you realize you're not spending any time at home. When there's a conduit to your office at any time, you work more hours because you can.
That being said, I love telecommuting, and do alot of development at work to make it possible, but I'm very clear on the fact that it can save companies millions while mainly giving back workers time that they weren't even getting paid for in the first place.
OSHA has rules regarding workstations that cost companies money but in the long run save employees much pain and misery. With all that the company gets out of having a worker stay at home, it's not unreasonable to expect a heavy telecommuter receive a computing environment that respects their health. Telecommuting should not be a way to escape ergonomic regulations.
Agree? Disagree?
Yours Truly,
Dan Kaminsky DoxPara Research http://www.doxpara.com
Code not created for public consumption often contains...ahhh..."commentary on the state of the computer industry in an informal, casual, and often rude manner."
Assuming that you're not the paragon of Mature and Uberprofessional Coding Practices, I'm sure you have more than a few sections of rather...blistering observations. Seeing as how this is News for Nerds, evil Perl most assuredly counts as Stuff That Matters. I'd like to see some segments of code before they were "Sanitized for Our Protection".;-)
Yours Truly,
Dan Kaminsky DoxPara Research http://www.doxpara.com
It seems like whenever we embark on some crazy job, there ends up being one day we always remember, one set of circumstances that we could never have experienced without beginning that journey but never have predicted in advance.
Since the creation and subsequent explosion of Slashdot, what one day stands out in your mind as the most randomly odd of them all?
Yours Truly,
Dan Kaminsky DoxPara Research http://www.doxpara.com
Slashdot Mirror
As much as I love the EFF, having attended the trial I can see why we lost:
They said their stuff was stolen. We argued that we should be able to get away with it.
"Their secret wasn't protected enough" "They waited too long" "They knew it'd be broken" "They don't know for sure we got it from Xing" "Maybe they don't really have the right to sue us!"
Note, we didn't argue some greater good that is served by the taking, nor the harm implied by enforcing a unilateral license agreement upon a captive audience. We didn't claim they had no right to deprive us of rights, hell, we didn't claim a single right at all. This is coming out a hell of alot more bitter than it should, but I think this loss will make us stronger in the long run.
They proved they lost something. We tried to prove...something. I'm not sure.
Here's my summarization of the plaintiff's case. I'm not going to continue this document, but rather work on something completely different--something that directly addresses just exactly what the DVD CCA is trying to take away from us.
I'll be honest: I'm not happy with the way this turned out, and if I wasn't so crammed for time(I literally just secured long term housing for myself around 20 hours ago), I wouldn't even post this. But C'est La Vie.
=====DVD Redux: The Plaintiff's Complaints
=====================================
A Courtroom Analysis by Dan Kaminsky
effugas@best.com
http://www.doxpara.com
After receiving a rude awakening from the Linux community--and, make no mistake, it's us they're fighting--the DVD Copy Control Association today stepped up their efforts to restrict the further release of the codes necessary to play a CSS-encoded DVD disc. Last time, they walked into court with the presumption of victory on their lips. This time, they fought with far more intensity. But with far more time to prepare, so did we.
As of the writing of this summary, it remains to be seen who will prevail.
For sheer lack of time(and because I have no idea if anyone wants me to finish), I will restrict my analysis to the opening case of the plaintiffs.
The plaintiff's case seemed dedicated to addressing the wounds it received at the TRO(Temporary Restraining Order) hearing. Extensive evidence was offered justifying the claim that the DeCSS code was derived from Xing--a fact not extensively challenged online, but a core doubt raised by the defense at the TRO hearing. Posts on Slashdot were quoted *heavily* by the plaintiffs as an attempt to prove that the Linux community was on notice that it would be illegal to decrypt the video stream.
Yes, this means that Ye Olde Anonymous Coward has been entered into the court record. Numerous comments from many parties to that discussion, including AC's, that contradicted the plaintiff's case and notified developers of their rights to reverse engineer were however conveniently ignored by the plaintiff. Such examples of distorted reality propped up all throughout the hearing; quite annoying, to say the least.
At this point, the Plaintiff's case turned truly bizarre. While the DVD CCA fell over itself to say it wasn't actually invoking the Digital Millenium Copyright Act, which may only be invoked in federal court, it made arguments under the act as a means to express and provide a perspective upon the Public Policy of the United States of America and, indeed, the 171 signing nations of the WIPO treaty. The relevance, argued the plaintiffs, was that since California's Uniform Trade Secret Act spoke of improprietity and not unlawfulness, the established public policy of the country should be used as the standard of what is proper and what isn't.
I must admit, I wasn't aware that playing a DVD qualified as a particularly unamerican activity. It might explain the civil disobedience campaigns(tshirts/contests) that the plaintiffs were so utterly disturbed by, however. Anyway, one wonders about the public policy the courts are supposed to apply when there's absolute consensus outside of Hollywood that individuals should be able to A) Play their own videos, B) Sell their own CDs, and C) Record their own TV Shows while still remaining good, patriotic Americans.
The case then moved into the International realm. Much noise has been made of the fact that reverse engineering of this type is generally quite legal in Norway, and indeed Europe as a whole. Both sides presented experts on the topic; needless to say, the opinions were not identical. pretty much claiming their expert made a more convincing argument than our expert. The plaintiff's expert, a Norwegian lawyer, claimed that the general law prohibiting unauthorized access to another individual's property, and particularly another person's data, should be applied in this case. On its face, this seems rather strange, since this case is about preventing a person from accessing data contained within their own physical property--the lawfully purchased DVD disc. But that's just my opinion.
The defendant's expert, claimed the plaintiff, was far more circumspect and wishy-washy, saying in effect that it could go either way and that the issue was undecided in norwegian courts. Since the plaintiff's answer was definitive and the defendant's answer was less so, the former ought to be considered more valid than the latter.
Returning to the core facts of the case, the plaintiffs reasonably argued that of all the defendants, none had provided an alternative source of the data aside from the Xing rip. Furthermore, the applicable law stated that prevention of *further* disclosure of a fact discovered after the usage to be a trade secret was an acceptable remedy, and since they weren't suing for anything more than such restraint(no damages, real or punitive), an injunction would specify the exact relief the law provided for. Since the defendants were on notice anyway, by both the passage of the DMCA and through "pervasive Slashdot discussions", this wouldn't be a surprising or inappropriate occurance.
Next, the plaintiff's primary counsel addressed the Linux interoperability argument. Given that a Linux developer would be willing to accept the arguably onerous terms of the CSS license(among which is that no imported DVDs may be playable, and that the source code be heavily closed and encrypted), the DVD CSS would be more than happy, he argued, to provide legal access for Linux users to play DVDs. Since IBM and Intel are both heavily invested in Linux, they argued, the means exists for a Linux DVD license to be signed.
The plaintiffs then trotted out the obligatory Coca Cola example: McDonalds sells Coke products, but Burger King only sells Pepsi. Just because you want Coke at Burger King, doesn't mean you get to steal the syrup off the truck, or break into Coca Cola headquarters and steal the formula. (I was unaware any DVDs had been stolen at gunpoint from UPS, or that Eric S. Raymond had led a crack commando team into the heart of Santa Clara for Operation LiViD-By-Any-Means-Necessary.) Because of this willingness, stealing the trade secret could not constitute appropriate self-help under the exceptions granted for interoperability. Sony's successes against the emulation community were raised, and the point that there was no fair use of trade secrets was made.
At that point, a new attorney for the plaintiff came up and began arguing against the EFF's extensive 1st amendment case. The EFF pointed out that the DVD CCA is seeking prior restraint against news sources(Slashdot itself is a named party), and that people merely want their traditional free speech rights to be enforced. Three responses were made: First, that the theft of trade secrets does not constitute a traditional usage of free speech rights. Second, that the defendants were not news sites(Slashdot?), and even if they were, they still couldn't post trade secrets. Finally, that the posting went beyond discussion--actual code was either directly there or being linked to.
The plaintiffs provided an example of what they'd like the judge to rule. It'd be acceptable to them for the San Jose Mercury News to provide commentary and analysis on the topic of the DVD decryption system, but to actually publish or link to the broken system would be a violation of trade secret law in their eyes. (As the defense later noted, such a linking has already taken place.)
In an interesting move, the plaintiffs used the Bernstein precedent that code is a form of speech to defend their position: The government was trying to suppress Bernstein's publication of his own encryption code. This is about a judge suppressing 200 John Doe's republication of someone else's encryption code. Of course, that implies that the code being republished was, in fact, someone elses--an access key does not a software product make, particularly when, as Sega v. Accolade decided, stripping the access key from a piece of software is the necessary to make other software interoperable.
The plaintiffs are continuing to attack even mere linkers--the whole concept of "instant access" to infringing sites scares the DVD CCA. One would think that the downsides of implicating the New York Times(as the defense pointed out) would override the advantages of a bit more protection against spurious links, but perhaps the DVD CCA sees things differently.
One thing the DVD CCA took particular offense to was the claim that the defendants were, in fact, helping them out by exposing the weakness of their system. They rather reasonably noted that, if the defendants were looking to help the CCA out, they could have sent an email, perhaps a real letter. Selling T-Shirts and running contests wasn't helpful.
On a sad note, the plaintiff's case concluded with some of the more vitriolic fear mongering and inappropriate references I have seen in quite some time. Beginning by claiming that the defense was trying to dismantle the entire IP system, massive(and rather irrelevant) hacks against military bases funneled through stolen Pac Bell internet account information, as well as the recent CDUniverse credit card scandal, were brought up as what could only be termed as character assassination against the "hackers" of the defense. Then, with the size of the DVD industry paraded in front of the judge as the sole reference to the irreperable economic damage that DeCSS and Linux players must surely create, the plaintiff made the entirely valid point that while the hacker community has embraced DeCSS, LiViD, and other CSS cracking systems, the mainstream has not yet adopted such tools. But what of the harms, should a mainstream that fought bitterly against record "spoiler systems" and has spent the last twenty years making audio mix tapes using their cassette recorders?
The direct harms that the DVD association brought to bear were summed up in a quote, in which it was stated that without legally backed copy protection, no media format(such as DVD Audio) could ever be good enough for Hollywood. And perhaps this is true. Manufacturing costs, the splurge of spending that accompanies repurchasing of previously owned content, now New And Improved, maybe even the profits from the conflicted interest consumer electronics divisions(Sony) just wouldn't be enough. Without the ability to technologically mandate what the courts would never accept--government enforced regional sale restrictions, arbitrary demands on DVD player manufacturers, a ban on personal backups and "mix DVDs"--perhaps we'd never see the big studios agree to new formats.
Oh well, I'm off to go play an 8-Track and catch some sleep, secure that they'll never give me a better quality music format for me to play with...
More next time, if you like.
Yours Truly,
Dan Kaminsky
DoxPara Research
http://www.doxpara.com
A little bit of clarification here:
:-)
AOL has *always* taken over your IP configuration whenever you connect, or at least it has since AOL 3.0. I figured this out a few years ago, when I realized that this one girl I was troubleshooting(heh) over ICQ had somehow managed to appear on an IP address far, far outside our dorm network.
AOL doesn't trust *anyone's* code--they put a custom VPN style interface into every windows machine they're shoved into. (This is that "AOL Adapter" thing.)
Incidentally, AOL makes for quite an excellent covert channel--high bandwidth expectation, protocol unhandled by most sniffers(as far as I know), and a Linux client. Never, ever allow AOL access out of your corporate firewalls
This latest behavior *does* seem rather insane. They're basically uninstalling the software of other companies--that's far and away beyond the expectations of the user doing the installation! That exceeds the implied contract, and has all *sorts* of problems with sheer fraud--what if AT&T phone service automagically prevented Sprint from calling you with a lower rate? What if NBC sent hidden signals to your television station removing CBS and ABC from your channel listings? (Yes, I'm noticing the irony with the recent CBS brouhaha.) Hell, what if putting in a demo for Quake 3, Unreal Tournament was wiped from your hard drive?
Lets expand on that: There'd be a significant amount of anger if Id Software sold a "competitive upgrade" for Unreal Tournament at a reduced cost that left UT unplayable, but even that would pale to the rage if the user wasn't warned prior to purchase or even installation that installing one game would remove its competitor.
In the name of simplicity, that's what AOL is pulling.
And what about the privacy implications? After all, half of privacy is the ability to sequester oneself in a private domain. (All "explicit privation" methods fall in this category, from locking one's door to calling someone on a pay phone.) AOL's behavior intentionally removes the options of accessing a private domain, requiring intentional and difficult re-enabling of those alternate ISPs.
Not good. Not good at all.
Yours Truly,
Dan Kaminsky
DoxPara Research
http://www.doxpara.com
Everyone likes to talk about Denial of Service attacks through packet spoofing, twisted fragments, etc...
Perhaps the MPAA is teaching us about attacking not the technical but the administrative infrastructure!
Think about it: Spoof an email from a major law firm, claim that a certain individual has been writing harassing emails from a given account, attach utterly forged harassing emails, and watch the target account get dropped like a rock.
Do that to the phone company, you'll get ignored. Do that do a small ISP, you'll *still* get ignored. But do that to any ISP with a division between engineers and management, and your target is toast.
Thanks, MPAA! You've just taught me a beautiful new technique for denying internet service to targets who talk about things I don't want to hear about. I guess you're just the greatest hackers of all.
Yours Truly,
Dan Kaminsky
DoxPara Research
http://www.doxpara.com
As art imitates life, life imitates art. We're watching what may very well be the most interestingly designed media campaign of the last few years--certainly the most intentionally mysterious, curiously designed, creatively leaked(certainly the most...effectively subversive use of the US Patent Office) company the computer industry has ever seen.
Twenty minutes, and the gloves come off. They've had years to prepare for this; now we get to see if the computer industry gets its first proper launch.
No more delays. No more promises. The most carefully marketed R&D house in Silicon Valley is about to open their doors--it'll be intriguing to see if they're as skillful on the open scene, under attack by the whispering galleries of competitors.
Hiring Linus was genius--you couldn't buy a more devoted audience.
Yours Truly,
Dan Kaminsky
DoxPara Research
http://www.doxpara.com
Yup. The net is secure enough for billions of dollars of e-commerce, but not for voting. Here's why:
Fraud on the financial level is easy to detect--somebody is out their money. Someone either has their goods or has their money, and either they have both or they have neither. There's a long paper trail, with *individual* impact on only the two parties involved in the financial transaction.
Fraud on the voting level is so much different, it's scary. Your computer says, "Ah! Vote registered for Mr. Bob", that's it. You're out no money, you've lost nothing if your desktop has been secretly tampered with, there's no paper trail that you're going to have any reason to analyze because you're not going to know anything went wrong. Lets not forget, with nothing written down, there's no physical evidence of the original votes--how can one demand a recount when the servers store the votes? Once the data enters the server, all sorts of unique WORM/cascading signature/etc. methodologies can be applied, but it's gotta get there.
The most insidious part of all of this is that it's not simply the voter that loses out by a falsified vote, but society as a whole. Votes affect everyone; financial deals are limited to those directly transacting.
Maybe something like iButtons, or Amex's Blue might go along way towards increasing my faith in online voting. For now, I just don't think the tech is there for something so critical.
Yours Truly,
Dan Kaminsky
DoxPara Research
http://www.doxpara.com
And they do have the right to control what formats the content they produce is distributed on. "Fair use" is for quoting and limited reproduction, not redistribution of the entire body of material.
So AvantGo, which converts websites(in as much detail as you like) to a lower quality, Palmpilot-viewable form is unfair use in your book?
Hell, what about recorders? They downshift a high quality NTSC signal to a degraded--but still viewable--form for extended storage. Sony v. Universal was pretty clear that this was OK. RIAA v. Diamond even went so far as to establish the right to space shift--I have a 10GB hard drive, and with transcoding I could probably put a half dozen movies onto my 2.5inch platters. Give me a minidisc size device with a 10gb hard drive and eyeglass displays, and suddenly I can carry a small chunk of my movie library in my pocket.
Who is the movie industry to tell me that I can't do that?
Yours Truly,
Dan Kaminsky
DoxPara Research
http://www.doxpara.com
All human transactions include built in presumptions about the status of each interaction--in plain english, there's alot about what we get from eachother that we just sort of "assume".
Contracts generally exist to clarify assumptions, not introduce utterly unexpected clauses--for example, a parking lot *can* disclaim liability for random damage caused to your car, but *can't* make the claim that exceeding one hour parking causes ownership of the car to transfer to them.
Contracts reflect the surrounding legal environment; they rarely completely rewrite it. The leeway granted on contract negotiations appears to usually be connected to the equivalent levels of power between the two negotiating bodies--the less legal force one party has in relation to another, the more the validity of the underlying contract is controlled by the legal environment. (Thus, the recent dismissal of an employee's noncompete clause which stated they couldn't work for a year in the same industry--this would have destroyed the employee but done no harm to the employer, thus the judge declined to enforce.)
This applies directly to the re-editing of video streams in that there's a presumption by the viewer that what they are seeing is a representation of the facts. The yellow first down line represents a fact that is in conceptual existence but lacks physical representation. This is a use of the technology to aid comprehension. However, the surreptitious modification of video streams to replace advertising and/or objectionable content is different--there is no underlying shared context being expressed, rather the value that the viewer places in what they see within in a given scene is redirected towards whatever the production crew desires.
Now, it obvious that the production crew can decide the backdrop as a whole--indeed, computer generated news desks are not entirely rare. But they're represented as such, and come replete with their own credibility wins and losses. Similarly, a correspondant appearing to report from the Middle East is spawning the presumption that, "They must know what they're talking about because they're actually there when I'm sitting on my couch *here*".
We attach value and credibility to the backdrop of any news report--even the simple tagline for an AP Newswire story gives the location of the author(if not his or her name).
To replace advertising, or any content in a non-obvious manner(pixelation of objectionable content is obvious, and explicitly changes the context of the display) is to borrow the credibility one holds for an environment and secretly sell it to the highest bidder.
That's not fair, and not even a 1.5 second blurb at the beginning of a broadcast can escape that fact. It's lying to the customer. That's not fair. Show some kids a walking, talking, thinking Teddy Ruxpin bear, and when they grow up provide them invisibly manipulated cities and scenes to believe in?
Hell, at least they're consistent.
Yours Truly,
Dan Kaminsky
DoxPara Research
http://www.doxpara.com
Re, the worries about "bad nerds"--
We pretty much impressed everyone there at the TRO hearing--I'm dead serious, I don't think the staff at the courthouse had ever experienced such a courteous crowd. Bruce Perens had alot to do with this, as he guided us as a mass quite effectively, but everyone there deserves credit for giving the Linux community a good name.
In comparison, the plaintiffs pretty much walked in there like they owned the place, made arguments which were essentially "Not only did these guys post the code, but they were really really mean about it and made fun of us!", and talked about the hundreds of thousands of jobs the movie industry creates. There may have been less of them, but guess which group was more civil?
Yours Truly,
Dan Kaminsky
DoxPara Research
http://www.doxpara.com
I must admit, I'm not particularly optimistic about you receiving this question, but I feel the question deserves at least the opportunity to be asked:
Do you feel there is, at times, an inappropriate tendancy to assign properties to the universe for no other reason but that specific equations proven on a lower end of inputs will show "amazing results" on a higher range of inputs?
Call it false linearization if you like--the best example I've heard of this came from Bill Gascoyne:
A cautionary thought on the dangers of extrapolation.
It is reported that in 1977 there were 37 Elvis impersonators in the world. In 1993 there were 48,000. At this rate, by the year 2010 one out of every three people in the world will be an Elvis impersonator.
While I'm assuredly not qualified to mention specific examples of what I might feel qualifies as inappropriately applied mathematics, I'd be interested in hearing your perspective on the commonality of this type of error.
Yours Truly,
Dan Kaminsky
DoxPara Research
http://www.doxpara.com
Death: It Sure Ain't What It Used To Be.
Over the last couple of years, we've seen a parade of technologies trotted out as a sign of the death of the PC--everything from the Network Computer to "Web Everywhere" style initiatives.
But the PC hasn't gone anywhere. Alot of this can probably be attributed to its flexibility in adjusting to changing market demands, for example, the emasculation of per system cost(the former NC trump card).
Thus my question: PCs can change rather drastically over very little time; that much is clear. What form do you see the coming changes taking, and what effects do you see from these changes upon both Linux and the Computer Industry tendancy to go into Death Watch Hypefests over the future of the PC?
Yours Truly,
Dan Kaminsky
DoxPara Research
http://www.doxpara.com
Around the time of the Star Wars Sorenson Compressed Trailer, one of the major Linux video player authors requested access to the Sorenson codec to play that trailer. Reports were that Apple refused to give the coder access to the codec.
Go look back through Slashdot archives--I read it here.
Yours Truly,
Dan Kaminsky
DoxPara Research
http://www.doxpara.com
Please don't think of ER as an accurate portrayal of life in a hospital emergency room. Most doctors I know either can't stand to watch the show or watch it only to get a good laugh
I think tech life could be edited down to a rather crazy hour, just like I'm sure every episode of ER pretty much contains the craziness of an entire month crammed into the timespan of a few minutes. C'mon, like "pre-IPO", college interns, managers, mad scientists(me), and various forms of firefighting couldn't be at least moderately interesting.
Remember, it wouldn't be so much about the tech, but the people behind the way the tech dies, and the methods by which other people spur into action to recover the systems.
Then again, Law and Order is an amazing show *because* it focuses on the law, not the people...
Yours Truly,
Dan Kaminsky
DoxPara Research
http://www.doxpara.com
MOV? All the pain of an AVI, with free delays while you deny Apple their cut. From the guys who killed Firewire...
:-)
Ugh. [Dan slaps himself around a bit.]
Firewire's launch has been botched--there's no other way to describe the bottom line that having one company call something Firewire while another calls it I-Link while others refer to an IEEE standard is just bad marketing sense that I'm sure some licensing scheme brought about.
Too bad, too, because besides simply having the most awesome interface name of the last twenty years, Firewire pretty much is one of the more perfect external interfaces imaginable--though I don't think they've done the security wrangling that the SIO guys are doing. For those who don't understand security considerations of one bus uniting all devices,
imagine the concept of a rootmouse that once plugged in issues calls directly to the hard drive retrieving critical files, all independant of the underlying operating system. That's the kind of worry you just don't have when your mouse is hanging off a 9600 bps UART.
But overall, saying something like this was pretty much flamebait. Off hand, unsubstantiated, assuming that the rest of the audience took as obvious fact what is really a rather contentious issue--these are all things that pretty much guarantee you're gonna fuck something up, and as *ahem* numerous AC's felt free to "adjust my perspective", I fucked something up.
There's very likely a good deal of hype streaming out of Intel against Firewire, and I fell right for it. Damnit.
I was pretty exhausted when I wrote this post, but that's not really an excuse. I don't usually ask for moderation, but if someone wouldn't mind tossing a few points on this apology post, it might quell the flamage
Sorry, all.
Yours Truly,
Dan Kaminsky
DoxPara Research
http://www.doxpara.com
P.S. Couple of you AC's expressed a problem with my writing in general? Email me, if you're not afraid of revealing yourself.
There's nothing stopping you from using a different player (IIRC, both Cisco's IP/TV and the Java Media Framework come with QuickTime-compatible players).
;-) and the ability to drop packets in favor of resyncing the media stream? Well, now you need to talk about the underlying format, now dontcha ;-)
;-) Mea culpa, tryin' to recover here!
I wasn't aware that IP/TV could parse QT-headered information. Very cool.
This is one of the things I generally like I about Slashdot--chunks of knowledge that aren't composed of out-and-out flamage. You'd think I posted that people's mothers were spawns of satan or something.
One thing I've begun to take very strong issue with is the presumption that it's acceptable to have a fleet of codecs required to play any single media file, with all the codecs wrapped in a single consistent wrapper(Quicktime/AVI wrapping Cinepak, Sorenson, MPEG-1, MPEG-2, AC-3, MP3, Metavoice, etc.) SDMI is planning to use this method, with the idea that "if one company's system is broken, there will still be 19 left."
Talking about an open source streaming solution is empty without talking about the underlying protocol--hell, I've got an open source streamer right here(cat mystream.mpg | nc -l -p 5000). What? You want to use a custom UDP based architecture without any of that annoying Flow Control(poof goes the net
Experience has taught us that, even on the most compatible platform--I'll calm the flame war by not saying its name--so called "wrapping" architectures fail miserably with surprising regularity. Sure, Quicktime as a format is open, but Sorenson has gone on the record--no compatibility for Linux. Oops, now we ain't gonna be able to watch the Star Wars Preview...gotta go get a closed platform for that.
Yours Truly,
Dan Kaminsky
DoxPara Research
http://www.doxpara.com
P.S. What the *hell* was I doing posting as sleep deprived as I was last night...I don't think I've ever woken up to as much of a Slashdot mess as I have tonight
Yes, I know. They tried to charge too much at first. They backed off, and now it's a big 25 cents!
Wow.
They started off with a dollar a port, which would have made adding Firewire connectivity one of the most expensive parts of any system. They knew they had a great technology and--guess what--they blew it.
The quarter license came too little, way too late, and now we're saddled with the horribly overstressed USB architecture.
The general idea is that Apple would have made much more money actually selling video editing macs rather than talking about it for years on end and finally making a lone stand w/ Sony on the joys of home video editing. I'm sure the two companies, who thanks to apple couldn't even share the Firewire name(Is it Firewire? Is it i-Link? Is it IEEE-Gevalt), did pretty well. But that just can't compare to how much business they might have done if home video editing was The Big Thing. It could have been, if Apple hadn't been so stubborn. They could have guided the evolution of the industry in more ways than just blue plastic.
Oh wait. Why am I responding to flamebait?
Uhm, I don't know. Anyone who speaks kritikally of Apple is suddenly posting flamebait?
Yours Truly,
Dan Kaminsky
DoxPara Research
http://www.doxpara.com
QT streaming server can serve any codec -- it doesn't really care what it is. Likewise, the quicktime player will play multiple codecs, including MP3 and mpeg2.
We have not even begun to get confused. You've actually got more than just "the server" and "the codec" involved--you've also got the "wrapping architecture around the codec" to deal with. Does QT Server stream not only Quicktime Encoded MPEG-1 streams, but also data that conforms to the standard *.MPG file format? It may! It may not! The general theme though is that while the QT player might be able to handle that variant of
I'm not crazy--there's a definite chance that this software plays nicely with whatever you throw at it. But it's honestly not a hard problem to stream MPEG, and it's generally just not a good idea to stream video when nobody has enough bandwidth to get an acceptable level of service.
--Dan
Lots of companies with large amounts of money invested in overly complicated streaming systems will complain, but there's a real bottom line:
The standard video format is MPG, because MPG Just Works. Everywhere.
AVI has failed. The general perception of an AVI file is one that might play, might not, might suddenly install a new codec, might not, who knows. No predictability.
MOV? All the pain of an AVI, with free delays while you deny Apple their cut. From the guys who killed Firewire...
RM. Realmedia ain't bad, but it just doesn't scale up too well. There's this common delusion that only people with broadband links should be able to view high quality video--in this paradigm, RealMedia can do OK, since relatively few people have consistently extreme high bandwidth links to the Net. But, ya know what? This paradigm leaves millions of people unable to view high quality video, except on television.
Presume people can download clips and watch them later, and suddenly the stream-biased, bandwidth-capped format that is RealMedia suddenly looks stale and chunky.
The bottom line, beyond quality issues, is that MPG has won for the same reason MP3 did: It Works. All the various copyright protection systems are obsessed with creating situations where the consumer tries to do something and It Doesn't Work. As I'm sure the consumer trials are showing, when Things Don't Work, consumers simply refuse to buy in. And that's the key--the investors may fund, the studios may create, but it's the consumer that pays for it all.
MPG may not be a low bandwidth streaming format, by any means, but the general obsession of streaming--and streaming only--is short sighted at best, and suicidal at worst. It will be interesting to see how this pans out over the next few months.
See y'all at the DVD trial...
Yours Truly,
Dan Kaminsky
DoxPara Research
http://www.doxpara.com
For years, I've been wondering when us geeks would have a TV series of our own--one that, sorta like ER, gave an honest(and patently ridiculous--considering the manic depressiveness of the tech lottery^H^H^H^H^H^H^Hstock market) view of life in the ultra fast lane.
;-)
I hear Po Bronson was working on a show like this, but seeing these action figures, one has to wonder if a...younger, more malleable audience could be coaxed into Microsoft Hero Worship.
Geek Intern Joe. Oi.
This actually becomes much more interesting when you consider that most of the cartoons from the early 80's were entirely funded by toy manufacturers, not by the advertisers that ran commercials during the show. The show itself advertised the toy product--and oh boy, did we eat it up.
Yeah. I could see that kind of tactic. I'm not saying that's what they had in mind--no, I actually think the action figures are pretty damn cool. I especially like the Kung Fu Grip of the female doll...about to be struck down by Suck's own Jihad Tux, of course
Yours Truly,
Dan Kaminsky
DoxPara Research
http://www.doxpara.com
I greatly respect the engineering that went into this paper, but I think we're talking about a little bit of...oh, I don't know...when you've got a hammer, everything looks like a nail?
What's been discovered is a method of, independant of the file system and various configuration files, extracting a key based on the difference between that key and the surrounding ambient randomness.
Independant of the file system?
How, exactly, is the web server supposed to retrieve the private key without a file call? Perhaps it should reference a specific block on the hard drive, and read x bytes from that location? Oh, oops, now we've got a "big deal" of a security breach in our web server configuration files.
When I first read this, I had assumed they discovered a method by which the private key could be divined by remote interrogation of the server side provided challenge. That's not what they discovered. They found a way that, given a hard drive with every single file cataconcated together with no indexing system available, they could still find zones likely(but not guaranteed) to represent private keys.
Anyone here have a hard drive like that?
This is *cool*, from a geek sense. I appreciate the value of the research. But it's so far from a big deal, it's ridiculous. It's one thing to say that shared servers increase the risk of having your private key stolen--I'd *hope* that the keys of one customer are isolated from the owners of another--but this specific worry is just...inaccurate. Cool tech, but not something to have your blood pressure increase over.
Yours Truly,
Dan Kaminsky
DoxPara Research
http://www.doxpara.com
You'd think after the first 17 postings about that not being word, people would catch on. Guess not.
;-)
Gotta love the English language. Unlike, say, Spanish or French, there is no central committee which decides which words are valid and which ones aren't. While dictionaries and Trusted Newspapers take some of the responsiblity, the general rule is rather democratic: If enough individuals use a given word to represent a consistent concept, and if that word is not a homonym of a word with a slightly different(and more standardized) spelling(their/thier/there), that word is considered coined and valid.
Remember, it is not the purpose of a dictionary to create the language, only to reflect it.
Altavista shows 8,496 usages of the unique word "virii". At bare mininum, "virii" qualifies as an alternative, non misspelled variant of the word "viruses".
Don't play semantic games with me, AC
Yours Truly,
Dan Kaminsky
DoxPara Research
http://www.doxpara.com
Some friends of mine just bought a Borg Cube style case--essentially something along the lines of two mid towers side by side, with some funky stuff done for mounting internally.
Oooh. Two mid towers.
Lots of cases I see down at Fry's are from manufacturers that got their hands on custom molded platic that looks just like Apple's new shtick.
Oooh. iMac.
C'mon! Granted, the Penguin Case is cool, but it's still just that: A case. Show me some real designs, something that makes my jaw drop and go "Wow, I can put an ATX motherboard in that!?!" What about stereo components--hide a CD-Rom drive under a retractable panel and voila, a computer that integrates with the entertainment system. (Yes, Gateway had a monster system like this a while back.) What about glass? Sony has a LCD monitor embedded within a classic desk photo glass enclosure. People, it's beautiful.
We've got tens of thousands of people out there with the technical skill to render three dimensional vistas that take your breath away, or a battered soldier's rusting weapon. Sony does not have a monopoly on new case forms, and neither does Apple. I want to see what is possible and place my computers in what is obviously not a knockoff. I like beige boxes, but there's more to desktop machines. I love my Toshiba Tecra, but I'd be lying if I didn't say the sheer elegance of Sony's entire laptop line didn't blow me away.
C'mon. We can do better. Lets try.
Yours Truly,
Dan Kaminsky
DoxPara Research
http://www.doxpara.com
"Please fasten your seatbelts, as we are presently experiencing turbulence as the result of excessive metaphor shear."
;-) All in all, a nasty situation.
As much as I would absolutely love to fully envision the Net as a living, breathing organism...it isn't. There are aspects of biology that are appropriate, but I think it's fair to say that these researchers are presuming excessive organic/technical equivalence:
Technology is externally changed, quickly, and often within the same generation of machinery. Organics internally evolve, extremely slowly, and even then almost wholly reserve their changes for the next generation.
The fact that technology is externally changed means that there's no evolved internal consistency--the immune system must be explictly modified to support the new transplant. As biology and technology have shown us, spooging the new into the old is difficult work. The speed of modifications too is frightening--while it's obvious that the host systems change much faster in a technological environment, I'd be interested in knowing the genetic variation of attacking bacteria and virii vs. the command variation of attacking trojans and computer viruses.
The generational woes are the killer--it is impossible to establish the biological concept of a "homeostatic self" onto systems that never stay either frozen in the present or predictable in their growth towards any degree of future.
Now, granted: There are assuredly "all quiet" states on the average network, and recognizing such states is a common tactic of network monitoring systems. (Indeed, there's a free app out there that will generate a firewall config that will pass any traffic it noted on your network during a "trusted state" period, then block anything else.) But that's a rather blunt methodology, and denies the inevitable existance of new services. The big problem is: How does one respond to a deviation? The curse of unpredictability is the inability to automate appropriate responses. The curse of being forced to constantly formulate appropriate responses is that it's burdensome and prone to false positives. The curse of not formulating appropriate responses is that you end up not responding at all
I should be fair--I like what I'm hearing from these guys. I've been saying for quite a while that systems that prevent the results of an instability from being necessarily exploitable(essentially, randomizing and shuffling systems so that there is no predictable "skeleton key" to the system that works every time). Their talk about monocultures is perfectly appropriate here. IBMs work with victim labs is beautiful, if not more than a bit macabre if backwards ported to human biology. Even the packet signaturing is interesting. But we should be aware of the limitations of this technology, and I'm interested in just how aware these researchers are of the differences between the evolved and the created.
Yours Truly,
Dan Kaminsky
DoxPara Research
http://www.doxpara.com
Telecommuting is one of those fascinating aspects of life that one really has to sit down and think about for a second:
A) No commute? That's great! Except for the fact that you weren't being paid to commute in the first place, and that the time you commute is in excess of your original eight hour workday. So while you were losing hours of your time for work, it somehow got onto your "personal time".
B) Home conversion? Suddenly, work has far fewer square feet of space it requires to house its workers--they get some of the worker's home, for free! Maybe it's a room, maybe it's a bookshelf, maybe it's a desk, but there always ends up being one area of work controlled space. Again, this happens at the expense of the worker.
C) Predictable hours. Are people getting paid more to be available to check their email 24/7? It's one thing to stay at the office late, but you can only do this so much before you realize you're not spending any time at home. When there's a conduit to your office at any time, you work more hours because you can.
That being said, I love telecommuting, and do alot of development at work to make it possible, but I'm very clear on the fact that it can save companies millions while mainly giving back workers time that they weren't even getting paid for in the first place.
OSHA has rules regarding workstations that cost companies money but in the long run save employees much pain and misery. With all that the company gets out of having a worker stay at home, it's not unreasonable to expect a heavy telecommuter receive a computing environment that respects their health. Telecommuting should not be a way to escape ergonomic regulations.
Agree? Disagree?
Yours Truly,
Dan Kaminsky
DoxPara Research
http://www.doxpara.com
Code not created for public consumption often contains...ahhh..."commentary on the state of the computer industry in an informal, casual, and often rude manner."
;-)
Assuming that you're not the paragon of Mature and Uberprofessional Coding Practices, I'm sure you have more than a few sections of rather...blistering observations. Seeing as how this is News for Nerds, evil Perl most assuredly counts as Stuff That Matters. I'd like to see some segments of code before they were "Sanitized for Our Protection".
Yours Truly,
Dan Kaminsky
DoxPara Research
http://www.doxpara.com
It seems like whenever we embark on some crazy job, there ends up being one day we always remember, one set of circumstances that we could never have experienced without beginning that journey but never have predicted in advance.
Since the creation and subsequent explosion of Slashdot, what one day stands out in your mind as the most randomly odd of them all?
Yours Truly,
Dan Kaminsky
DoxPara Research
http://www.doxpara.com