Sure they make nothing. But they get stuff from the people who make it to the people who want it. That's as important a part of the production process as any other.
In most cases, the "overhead" of distributing and selling something is a bigger component of the overall cost than its production.
I fail to see how offering someone a job (which they are free to decline) constitutes exploitation. We in the rich world like to feel morally indignant about sweat shops, because the workers have a standard of living so far below ours. But, for the people working those jobs, they're usually better than the alternatives. They wouldn't take the job if they didn't think it made them better off than they would otherwise have been.
Now, there are exceptions: slave labor, forced labor by prisoners, child labor, etc. really are exploitation. But freely chosen jobs, however unpleasant, are not exploitation - they're often a family's best hope of being able to feed their children.
No, basic DOD security clearances (Confidential, Secret, Top Secret) are not classified. In fact, your clearance level is printed on your badge where I work: Having a clearance level wouldn't do much good if you couldn't tell anyone what it was. Imagine this dialog - A: This area's restricted. Are you cleared to come in? B: I can't tell you unless you're cleared to know. What's you clearance level? A: I can't tell you unles... what's yours? and so on.
However, you're not encouraged to attract a lot of attention to them, either. Making a show of having a clearance could attract the attention of the wrong sort of people (i.e. people who want access to things you have access to).
We're not quite there yet, for better or worse. There were lots of ground troops involved on both sides. It just happens that the ones on our side belonged to our allies, rather than being U.S. soldiers. Our machines didn't win a war: they tipped the ballance of power in an existing war between conventional armies.
Amid all our technological self-congratulation, let's not forget that it took thousands of armed men on horseback (literally) to drive back the Taliban forces.
This is actually a pretty straigthforward task, as the ammount of new platform-specifc code should be pretty small:
I'm told that QT code is source-compatible across platforms, so that's taken care of. Sockets libraries (network I/O) are the same under windows and Unix. That just leaves threading and serial I/O. The good thing about threading is that you probably only need to implement wrappers for a small portion of threading libraries (i.e. the portion you actually use). Posix Threads defines about 60 functions, but I honestly only ever use about 6: pthread_create, pthread_join, pthread_mutex_lock, pthread_mutex_unlock, pthread_detach and pthread_exit.
I don't know much about serial I/O under win32, but I doubt that it's too difficult... (heh)
It seems that this is not necessarily optimizing for Quake3 at the
expense of other software. When making design decisions, in some cases
one option is simply better than others. e.g. Choosing a
radix sort
over a bubble sort is basically all benefit and no cost. However, other
decisions will improve performance for some tasks while reducing it for
others. Think about Amdahl's Law for instance. Or consider adding an
index to a field in a database system improves the performance of queries but
reduces the performance of inserts and updates. In optimizing a system,
your goal is to maximize it's performance in actual use. That means that
the more you know about the expected use, the better design decisions you can make.
If your database is being used to log transactions, and inserts will outnumber
queries, you don't put the index on. If it's being used for census data, and will
be updated seldom or never, but querried frequently, you do. That is to say, you
use what you know about which operations will be requested the most often, and
favor those at the expense of less-frequently used operations. The problems is
that you often don't know which operations will be used most frequently at design
time. If, however, some of these decisions can be made at run time, you may have
more information available, and will be able to make better decisions.
Which gets us back to the issue at hand. I don't know anything about the inner
workings of the Radeon driver, but there are probably a number of similar tradeoffs
involved in its design. The most reasonable interpretation is *not* that Radeon
has optimized for Quake 3 at the expense of other programs. If that were true, it
would run at the same rate whatever it were named. The better explanation is that
when the driver knows what program is being run (such as Quake 3) it optmizes
itself to the known characteristics of that program, and when a program which
the driver knows nothing about (such as "Quack") is run, it uses default settings.
Thus, it's not necessarily favoring Quake 3 over other applications, but is instead
using optimizations for for known programs which are not available for unknown
ones. There's nothing in this article to indicate that similar optimizations
haven't been made for Counter Strike, Half Life, or any other popular 3D programs.
I'm amazed that no-one has addressed this yet, but what do we know about driver support? Specifically the usual suspect components: Video card, sound card, USB controller and FireWire (!) controller?
I do know that the RealTek 8139 ethernet card is supported under Windows, Linux and FreeBSD.
I work in air traffic control software, but I am speaking for myself and not on behalf of the company.
I don't have a conclusion about the wisdom of ground-based control of hijacked aircraft, but I do have a few observations:
Technologically, such a system would be a long, long way off. Current software monitors aircraft and displays information and warnings, but actual control decisions are made by controllers and transmitted by voice to pilots. Also, due to the great concern over reliability, major changes require a long time.
A remote-control potential is itself a vulnerability. If it were too easy to activate, terrorists could use that functionality against aircraft. If if were too hard to activate it wouldn't do any good.
Depending on altitude and location, aircraft are not always in continuous communication with ground control. This limits the usability of such a system.
Beauty for quality's sake makes better software
on
Software Aesthetics
·
· Score: 1
Software has to:
1. Meet user requirements.
2. Meet user requirements (in 10 years).
If your business plan includes any kind of long-term component, you know that initial sales are only a small portion of your revenue stream. If you write software for retail sale, the long term comes in the form of selling subsequent versions of your product. If you develop directly for large clients, it usually comes in the form of explicit code maintainance contracts. This is doubly true because most software has relatively few users for the initial release, and only gains widespread adoption with time.
Either way, you're in it for the long haul. The known user requirements are not the end-point of your development effort, but rather the first of many waypoints. Maintainability and extensibility are everything: If you can't correct the bugs in version 1.0 and get version 2 out the door (both in a timely and cost-effective manner) you're not going to be selling much software. That's why an elegant design is worth the extra initial cost.
It's been said before, and will certainly be said again, but there is no such thing as a "totally secure environment." The best realistic target is "an evironment which will cost more to penetrate than the contents are worth."
It's important to maintain feasable security expectations.
There's a famous quote about the only secure computer being turned off, buried in concrete, protected by nerve gas and armed guards, and still not quite secure enough...
"8. Use 10-Mbit hubs or switches in your dorms. This will keep the rest of your network (100Mbit?) nice and tidy from P2P traffic."
This is only true or relevant if your internal network bandwidth is the limiting factor in P2P transfer rates. Assuming that all or most of your students' P2P file transfers are going to/from off-campus systems, the limiting factor will be your outside internet connection anyway. Unless you have >= 10Mbps connectivity, of course.
Also, well-implemented switched ethernet will isolate the rest of your network from intra-resnet and resnet-internet traffic.
"9. Keep a close eye on possible haxors. You know how to identify them, the kids who bring their own Cisco routers to school. They're the ones who are going to bring down your gateways."
They're also the ones who'll probably be your best CS students and future networking employees. Don't alienate or be rude to students just because they're technically adept.
This is kind of self-evident, but a demonstration that wind power *can be* used for such purposes is entirely different from a demonstration that is *was* used. This only shows that the theory is not totally impossible, not that it is probable or true.
Sure, some people have made bad financial decisions, and must make good on their debts. Reposessions is important and necessary. But neither he nor we should be taking joy in the suffering of others. Real people's lives are falling apart. It may be their own fault, but it's still sad.
A reposession man should no more be happy about layoffs than an undertaker should be happy about an epidemic.
I don't think that works as well as you think it does. Suppose you have an opt-in system. Who gets to opt-in? You assume there's a master list of who can create a copyrighted work. But there's not. Anyone who makes a creative work is a copyright holder.
How is napster supposed to know who is the copyright holder of any given work to submit it in the first place? They can't possibly have a person deal with every file that's proposed, so this has to be done in an automated way. If I want to allow my work to be distributed over Napster, and I send them a checksum and say "Let MP3 files matching this checksum pass" how are they going to know that I actually hold the copyright for that work?
Further, checksumming doesn't really work anyway because any change to the file, such as a bit-rate conversion, will break the checksum. If I want to allow people to covert my file to a 64kbit stream, or Vorbis, do I have to provide a checksum for every legal variant? Moreover, Napster, Inc's servers can't possibly checksum the files, because the actual files never pass through the central servers. The servers's get information from the client software. So the client would have to checksum the files. How long do you think it would take before people altered the clients to provide fake checksums?
I really think that this problem is a lot harder than you might initially imagine.
For a more thorough discussion of the issue, here's a comment I wrote a while back on this basic problem, on the afore-metnioned GigaLaw mailing list.:
http://gigalaw.com/archives/0103/gigalaw-discuss -0 103-00027.html
**
The short answer is that there is no reliable way to identify an MP3 other than
having someone listen to it. This goes double for services like Napster which
never handle the MP3s themselves and have to rely on user-supplied data.
As I've mentioned in previous posts, filtering by name won't work. Other
solutions fare no better. Here's the long answer:
There are mechanisms which make is possible to identify CDs and MP3 files, but
they're all voluntary. CDs contain a serial number and a table of contents,
which lets you look up CD information in a database called CDDB (for CD
DataBase). This is how a lot of modern computer CD players get the song titles
and such. MP3 files allow what are commonly called "ID3 tags". They are just
a chunk of the file which is set aside for text, so that information about the
file can be stored there. This ID3 information is generally filled in by the
person who created the MP3, but it can be changed later by anyone who wants to.
These features are very useful for legitimate users: For example, I encode my
CDs into MP3 format so that I can listen to them on my computer and with a
portable MP3 player. The software I use reads the serial number off the CD,
gets information from the CDDB database, and then sets the ID3 tags
accordingly. That way, each MP3 is tagged with the title, artist, and album.
Unfortunately, these features are useless from a copyright enforcement
standpoint because they are controlled by the user. There's no way to make
someone set the ID3 tags correctly, so you cannot rely on their accuracy.
The concept of a hash code is very much like a fingerprint. Hash codes let you
take a file and produce a number that uniquely identifies the file. This
number can then be used to verify whether that the file hasn't been modified,
or to check other files and see if they're the same. Much like a fingerprint,
there's not an 100% guarantee that two files with the same has code are the
same file, but the odds are billions to one against any given two different
files having the same hash code. Theoretically the RIAA could give Napster a
list of hash values for every illegal MP3, and then Napster could detect it any
time one of those files was sent. Unfortunately, this doesn't work in
practice. The strength of hash codes is also a weakness in this instance: If
you change a file in any way, you totally change its hash code. This is good
for detecting tampering, but bad for identifying MP3s. There are inummerable
changes an infringer could make to an MP3 file which would not alter it in any
meaningful way, but still change the hash code.
There is a company called eTantrum, Inc (www.etantrum.com) which has developed
a technique for identifying music based on its audio characteristics, which
should be independent of the file format or other easily-altered features. If
it works as intended, it could be used to identify songs, which is what the
RIAA would like. It is, however, open to question how well it actually works.
Even if it does work, it could still be easily defeated: Currently, Napster
acts as a search engine and broker, matching people who want a given song with
people who have it. The file is then transferred between the users themselves.
Thus, Napster never sees the MP3s themselves and has to trust the users to
supply accurate information. Needless to say, users wishing to transfer
infringing information would provide incorrect data.
Useful references:
Audio CD format-
http://www.disctronics.co.uk/cdref/cdbasics/cdba si cs.htm
MP3 files and ID3 tagging-
http://webhome.idirect.com/~nuzhathl/mp3-faq.htm l# ques29
Hash codes-
http://www.thawte.com/support/crypto/hash.html
The (in)feasibility of copy protection and water-marking-
http://www.counterpane.com/crypto-gram-0011.html #6
http://www.counterpane.com/crypto-gram-9811.html #c opy
http://www.counterpane.com/crypto-gram-0102.html #1
eTantrum's MusicID -
http://www.etantrum.com/index.php?section=techno lo gy
**
This was in response to :
**
Thus spake Doug Isenberg (disenberg@GigaLaw.com):
OK, now that the district court issued its injunction against Napster, we
know that the service will be required to block the transmission of MP3
files where the file names match those provided by the music industry
plaintiffs. I still think this is a far-from-foolproof solution and will
allow many songs to slip through.
I've been told that songs on CDs are encoded with a unique "hash" code and
that the code could be used to identify files. I'm trying to understand
this technology better and admit the preceding sentence may not be
technically accurate! Can anyone comment on this and/or provide resources
for background on the technology?
There's two ways to be pro-Napster. You can believe that it's appropriate and legal for private citizens to give each other unlimited copies of copyright-protected works. You'll have a hard time finding "respectable" people to defend this position.
Or, you can believe that there are some legitimate uses of file-sharing as well as illegitimate ones, and that there's no effective way to prevent the bad uses without unacceptably interfering with the good ones. Under this logic, Napster, Inc. should not be restricted, but law enforcement and copyright-holders have every right to go after people who are misusing Napster. You can probably find a lot of people to support the latter position. Search the web for recent comments from Lawrence Lessig, for example. Lessig is associated with Harvard Law School, and is the former chair of the Berkman Center for Internet and Society there.
Also look at the archives of the GigaLaw mailing list at gigalaw.com for a lot of discussion of this issue by people more qualified than myself.
With all due respect, so what? If the film industry is contributing nothing new, who cares if it's killed off? If it is contributing something new, then there's nothing to fear and the industry will thrive. Either way, what's the problem?
Even better, perhaps there would be a metaphorical culling of the herd in which the worthless would die off and the worthwhile live on. Who could object to that? Even if your theories are valid (and I'm not at all sure that they are) the end result looks good to me.
Below is the full text of a letter I sent to fortune magazine, expressing my opinion of this idiocy.:
To Whom it May Concern,
Mr. Dvorak's column is largely erronious in both fact and interpretation. On points of fact, the TiVo device does not necessarily cost $500, but is available for $300. It is also not difficult to use.
Of greater significance are the errors of interpretation. Mr. Dvorak evidently believes that it is only lawful to watch television in the manner and at the time intended by the broadcasters. The courts have repeatedly held that this is not the case. One need only look at Sony vs. Universal (1983) for an example. The humble VCR does all of the things which Dvorak finds objectionable: It allows the viewer to record shows, watch them at the time and place of their choosing and watch as much or as little of the show as they wanted, including the ability to easily not watch commercials. It even allows shows to be watched repeatedly, and video tapes can be given away or sold, albeit illegally.
The only difference with the TiVo is that it does these things electronically (which seems to be inherently scary), and that one can watch a show at the same time one is recording it, so that the time-delay is reduced.
Mr. Dvorak appears to believe that because media producers include advertisements with their programming, the viewer is legally or morally obliged to watch them. This is clearly not so. Such stalwart mechanisms as newspapers and magazines have allowed readers to "turn the page" and thereby avoid advertizements. Even so, these are often distributed at no charge, despite having a much higher per-recipient cost than television. For that matter, viewers have always had the legal right to turn off or ignore their televisions during commercials.
There seems to be a belief among many intelectual property commentators, including Mr. Dvorak, that the law ought to guarantee the continued profitability of any business model that is currently succesfull. If the technological or social environment reduces the profitability of a given industry, that industry is not necessarily a victim deserving of reparations. Imagine the world today if the Horsbreeders Association of America had succesfully sued automobile manufacturers for damages and gained an injunction against their manufacure?
--
The above opinions are my own, and not those of my employer
nor any other reasonable individual.
Eric Anderson
Department of Mathematics and Computer Science
Carleton College, Northfield MN
eric@ericanderson.org
anderser@carleton.edu
There's been a lot of discussion of various ways to encrypt drives for protection, and also of ways to cause drives to self-destruct. The problem with the encryption systems is maintaining the secrecy of the key, when the attacker has access to all the hardware and software. The problem with the self-destruct systems is keeping things sufficiently controlled to destroy the data but not hurt anyone.
The following synthesis makes sense to me: Have the drive encrypted with a symetric-key cipher. Have the key stored in NVRAM or some equivalent. In normal operation, the encryption and decryption is handled transparently. either by software drivers, or (better yet) by the drive controller itself. Because no person needs to know the key, it can be truly random and long enough. To activate the self-destruct, simply erase the key. I don't know much about NVRAM, but I imagine that it is possible to "wipe" it sufficiently that the data can't be recovered. If not, this idea would have to be modified.
In the best-case scenario, all of this functionality is integrated into the drive controller, so that data is encrypted before it's sent to the disk, and decrypted before it's returned to the system bus. This makes life easier for everyone since the encrypted drive system looks just like a normal IDE (or SCSI) system from the outside. More importantly, it means that the key can be stored inside the controller card, and never needs to be made available to any other hardware or software. This minimizes the risk of key compromize, even by a malicious user.
The card would have to support an instruction (or physical connection) whereby it could be signalled to self-destruct. This could be activated by LoJack-style equipment, or what have you.
Once the key's truly erased, the contents of the drive become totally unusable.
For it to be dishonest you must be misleading someone. If you make explicitly false claims, that's obviously dishonest. Further, there are some implied claims (such as that work with your name on it is your own) which you have a responsibility to explicitly contradict if they're false.
As long as you give proper attribution anywhere you use or reference others' work, that's honest. In some cases, the requirements of the assignment may require that you not use certain sorts of sources. If you fail to comply with that restriction, but give proper attribution, then you're not being dishonest, you're just failing to do the assigment as specified. This would be grounds for a poor grade, but not for academic dishonesty charges.
I disagree with you about about point #1, but I agree about #2, #3 and to a lesser extent #4.
I think point 1 is not relevent because the issue is whether or not the accused company is aiding infringement, not comitting it itself. And for what it's worth, fax, telephone and mail are archetypally peer to peer.
What you say in #2 is correct, it's logical, it's common sense. But the problem is that it's not (as far as I can tell) in the law. Nothing in the text of the circuit court's decision or von Lohmann's article explicitly mentions how large a portion of a company's revenue comes from infringing users - only the fact that any of it does.
Point #3 illustrates precisely the hypocrisy I'm objecting to: If two people communicate over the phone or through mail, the law protects their privacy by forbidding monitoring. If the same people communicate through a computer service, it seems that the law attacks their privacy by requiring monitoring. The right to communicate privately deserves the same degree of protection regardless of the technology involved.
Point #4: Again you're right. But what's the standard of cooperation here? It's one thing to say that when law enforcement find evidence of a crime that the communication provider release relevant information to them. This is what the postal and phone services do. It's quite another to require that the provider actively monitor and attempt to prevent the misuse of it's systems. That's what's being expected in the peer-to-peer system.
The upshot of all of this is that a company building communications systems needs to know that if they're not encouraging illegal use of their system that they're also not responsible for going to rediculous lengths to prevent it.
This confuses me considerably: It seems that the upshot is this:
1. If you profit from the copyright infringement of your users, you're potentially liable for vicarious infringement.
2. If you have an even vaugely sane business model, you will in some way benefit from having users.
3. Any service capable of moving information or material goods can be used for copyright infringement.
4. Given a reasonably large user base, it's certain that at least some of your users will engage in copyright infringement.
From 3 and 4 we can conclude that any system for moving data or physical material will be used for direct copyright infringement.
Combining this with point 2, we must conclude that any business which is based on moving matter or data benefits indirectly from copyright infringement.
Considering now point 1, we reach the conclusion that any business which allows customers to move data or matter is potentially liable for contributory or vicarious copyright infringement.
The existence of non-infringing uses may get you off the hook for contributory infringement, but not vicarious.
To avoid liability for vicarious infringement, the business must either have no right or ability to control customers actions, or must actively and thoroughly police its users.
So we have the logical conclusion: Any business which allows customers to move matter or data, and has even so much control as the ability to refuse service, must monitor the activites of its customers or else be guilty of vicarious copyright infringement.
So why isn't the Postmaster General doing time? How about the phone system? What about the protections afforded "common carriers"? What about the idea that citizens have a right NOT to be monitored? If it were applied to the phone system, this reasoning would not only allow but require that everyone's phone be wiretapped all the time.
If these conclusions are not correct, then wherein lies the flaw?
I agree, with one caveat: You imply that there is no advantage to marking all traffic as high priority. This is true, because it is the relative priorities of different data-streams that effects transfer rate, not their absolute prioritites. But, while there is no advantage to marking all traffic as high priority, there is an advantage to any specific user to mark all THEIR traffic as high, as long as it is competing with traffic from other users.
You would need to in some way change things so that no user can gain an advantage over the others. I don't know how you whould do that...
I'd love a chance to tinker with one of these. If anybody has one and is thinking of sending it back, I'll pay $25 in real cash, and pay for shipping.
Not exactly big money, but it's the same ammount Virgin's offering, and it actual currency rather than a gift certificate. If you're going to send it off anyway, why not give it to a good cause (my entertainment). I even promise to post anything interesting I discover.
Slashdot Mirror
Sure they make nothing. But they get stuff from the people who make it to the people who want it. That's as important a part of the production process as any other.
In most cases, the "overhead" of distributing and selling something is a bigger component of the overall cost than its production.
I fail to see how offering someone a job (which they are free to decline) constitutes exploitation. We in the rich world like to feel morally indignant about sweat shops, because the workers have a standard of living so far below ours. But, for the people working those jobs, they're usually better than the alternatives. They wouldn't take the job if they didn't think it made them better off than they would otherwise have been.
Now, there are exceptions: slave labor, forced labor by prisoners, child labor, etc. really are exploitation. But freely chosen jobs, however unpleasant, are not exploitation - they're often a family's best hope of being able to feed their children.
No, basic DOD security clearances (Confidential, Secret, Top Secret) are not classified. In fact, your clearance level is printed on your badge where I work: Having a clearance level wouldn't do much good if you couldn't tell anyone what it was. Imagine this dialog - A: This area's restricted. Are you cleared to come in? B: I can't tell you unless you're cleared to know. What's you clearance level? A: I can't tell you unles ... what's yours? and so on.
However, you're not encouraged to attract a lot of attention to them, either. Making a show of having a clearance could attract the attention of the wrong sort of people (i.e. people who want access to things you have access to).
We're not quite there yet, for better or worse. There were lots of ground troops involved on both sides. It just happens that the ones on our side belonged to our allies, rather than being U.S. soldiers. Our machines didn't win a war: they tipped the ballance of power in an existing war between conventional armies.
Amid all our technological self-congratulation, let's not forget that it took thousands of armed men on horseback (literally) to drive back the Taliban forces.
This is actually a pretty straigthforward task, as the ammount of new platform-specifc code should be pretty small:
I'm told that QT code is source-compatible across platforms, so that's taken care of. Sockets libraries (network I/O) are the same under windows and Unix. That just leaves threading and serial I/O. The good thing about threading is that you probably only need to implement wrappers for a small portion of threading libraries (i.e. the portion you actually use). Posix Threads defines about 60 functions, but I honestly only ever use about 6: pthread_create, pthread_join, pthread_mutex_lock, pthread_mutex_unlock, pthread_detach and pthread_exit.
I don't know much about serial I/O under win32, but I doubt that it's too difficult... (heh)
Which gets us back to the issue at hand. I don't know anything about the inner workings of the Radeon driver, but there are probably a number of similar tradeoffs involved in its design. The most reasonable interpretation is *not* that Radeon has optimized for Quake 3 at the expense of other programs. If that were true, it would run at the same rate whatever it were named. The better explanation is that when the driver knows what program is being run (such as Quake 3) it optmizes itself to the known characteristics of that program, and when a program which the driver knows nothing about (such as "Quack") is run, it uses default settings.
Thus, it's not necessarily favoring Quake 3 over other applications, but is instead using optimizations for for known programs which are not available for unknown ones. There's nothing in this article to indicate that similar optimizations haven't been made for Counter Strike, Half Life, or any other popular 3D programs.
It looks like the business model is essentially camera rental, with two twists:
1. You're not actually obliged to bring it back, but
2. They encourage you to bring it back by making it difficult to get the pictures without doing so.
This could actually work. As long as they're not good enough to be worth keeping, most will probably be brought back.
I'm amazed that no-one has addressed this yet, but what do we know about driver support? Specifically the usual suspect components: Video card, sound card, USB controller and FireWire (!) controller?
I do know that the RealTek 8139 ethernet card is supported under Windows, Linux and FreeBSD.
I work in air traffic control software, but I am speaking for myself and not on behalf of the company.
I don't have a conclusion about the wisdom of ground-based control of hijacked aircraft, but I do have a few observations:
Software has to:
1. Meet user requirements.
2. Meet user requirements (in 10 years).
If your business plan includes any kind of long-term component, you know that initial sales are only a small portion of your revenue stream. If you write software for retail sale, the long term comes in the form of selling subsequent versions of your product. If you develop directly for large clients, it usually comes in the form of explicit code maintainance contracts. This is doubly true because most software has relatively few users for the initial release, and only gains widespread adoption with time.
Either way, you're in it for the long haul. The known user requirements are not the end-point of your development effort, but rather the first of many waypoints. Maintainability and extensibility are everything: If you can't correct the bugs in version 1.0 and get version 2 out the door (both in a timely and cost-effective manner) you're not going to be selling much software. That's why an elegant design is worth the extra initial cost.
It's been said before, and will certainly be said again, but there is no such thing as a "totally secure environment." The best realistic target is "an evironment which will cost more to penetrate than the contents are worth." It's important to maintain feasable security expectations.
There's a famous quote about the only secure computer being turned off, buried in concrete, protected by nerve gas and armed guards, and still not quite secure enough...
Two disagreements:
"8. Use 10-Mbit hubs or switches in your dorms. This will keep the rest of your network (100Mbit?) nice and tidy from P2P traffic."
This is only true or relevant if your internal network bandwidth is the limiting factor in P2P transfer rates. Assuming that all or most of your students' P2P file transfers are going to/from off-campus systems, the limiting factor will be your outside internet connection anyway. Unless you have >= 10Mbps connectivity, of course.
Also, well-implemented switched ethernet will isolate the rest of your network from intra-resnet and resnet-internet traffic.
"9. Keep a close eye on possible haxors. You know how to identify them, the kids who bring their own Cisco routers to school. They're the ones who are going to bring down your gateways."
They're also the ones who'll probably be your best CS students and future networking employees. Don't alienate or be rude to students just because they're technically adept.
This is kind of self-evident, but a demonstration that wind power *can be* used for such purposes is entirely different from a demonstration that is *was* used. This only shows that the theory is not totally impossible, not that it is probable or true.
A reposession man should no more be happy about layoffs than an undertaker should be happy about an epidemic.
I don't think that works as well as you think it does. Suppose you have an opt-in system. Who gets to opt-in? You assume there's a master list of who can create a copyrighted work. But there's not. Anyone who makes a creative work is a copyright holder.
s -0 103-00027.html
a si cs.htm
m l# ques29
l #6
l #c opy
l #1
o lo gy
How is napster supposed to know who is the copyright holder of any given work to submit it in the first place? They can't possibly have a person deal with every file that's proposed, so this has to be done in an automated way. If I want to allow my work to be distributed over Napster, and I send them a checksum and say "Let MP3 files matching this checksum pass" how are they going to know that I actually hold the copyright for that work?
Further, checksumming doesn't really work anyway because any change to the file, such as a bit-rate conversion, will break the checksum. If I want to allow people to covert my file to a 64kbit stream, or Vorbis, do I have to provide a checksum for every legal variant? Moreover, Napster, Inc's servers can't possibly checksum the files, because the actual files never pass through the central servers. The servers's get information from the client software. So the client would have to checksum the files. How long do you think it would take before people altered the clients to provide fake checksums?
I really think that this problem is a lot harder than you might initially imagine.
For a more thorough discussion of the issue, here's a comment I wrote a while back on this basic problem, on the afore-metnioned GigaLaw mailing list.:
http://gigalaw.com/archives/0103/gigalaw-discus
**
The short answer is that there is no reliable way to identify an MP3 other than
having someone listen to it. This goes double for services like Napster which
never handle the MP3s themselves and have to rely on user-supplied data.
As I've mentioned in previous posts, filtering by name won't work. Other
solutions fare no better. Here's the long answer:
There are mechanisms which make is possible to identify CDs and MP3 files, but
they're all voluntary. CDs contain a serial number and a table of contents,
which lets you look up CD information in a database called CDDB (for CD
DataBase). This is how a lot of modern computer CD players get the song titles
and such. MP3 files allow what are commonly called "ID3 tags". They are just
a chunk of the file which is set aside for text, so that information about the
file can be stored there. This ID3 information is generally filled in by the
person who created the MP3, but it can be changed later by anyone who wants to.
These features are very useful for legitimate users: For example, I encode my
CDs into MP3 format so that I can listen to them on my computer and with a
portable MP3 player. The software I use reads the serial number off the CD,
gets information from the CDDB database, and then sets the ID3 tags
accordingly. That way, each MP3 is tagged with the title, artist, and album.
Unfortunately, these features are useless from a copyright enforcement
standpoint because they are controlled by the user. There's no way to make
someone set the ID3 tags correctly, so you cannot rely on their accuracy.
The concept of a hash code is very much like a fingerprint. Hash codes let you
take a file and produce a number that uniquely identifies the file. This
number can then be used to verify whether that the file hasn't been modified,
or to check other files and see if they're the same. Much like a fingerprint,
there's not an 100% guarantee that two files with the same has code are the
same file, but the odds are billions to one against any given two different
files having the same hash code. Theoretically the RIAA could give Napster a
list of hash values for every illegal MP3, and then Napster could detect it any
time one of those files was sent. Unfortunately, this doesn't work in
practice. The strength of hash codes is also a weakness in this instance: If
you change a file in any way, you totally change its hash code. This is good
for detecting tampering, but bad for identifying MP3s. There are inummerable
changes an infringer could make to an MP3 file which would not alter it in any
meaningful way, but still change the hash code.
There is a company called eTantrum, Inc (www.etantrum.com) which has developed
a technique for identifying music based on its audio characteristics, which
should be independent of the file format or other easily-altered features. If
it works as intended, it could be used to identify songs, which is what the
RIAA would like. It is, however, open to question how well it actually works.
Even if it does work, it could still be easily defeated: Currently, Napster
acts as a search engine and broker, matching people who want a given song with
people who have it. The file is then transferred between the users themselves.
Thus, Napster never sees the MP3s themselves and has to trust the users to
supply accurate information. Needless to say, users wishing to transfer
infringing information would provide incorrect data.
Useful references:
Audio CD format-
http://www.disctronics.co.uk/cdref/cdbasics/cdb
MP3 files and ID3 tagging-
http://webhome.idirect.com/~nuzhathl/mp3-faq.ht
Hash codes-
http://www.thawte.com/support/crypto/hash.html
The (in)feasibility of copy protection and water-marking-
http://www.counterpane.com/crypto-gram-0011.htm
http://www.counterpane.com/crypto-gram-9811.htm
http://www.counterpane.com/crypto-gram-0102.htm
eTantrum's MusicID -
http://www.etantrum.com/index.php?section=techn
**
This was in response to :
**
Thus spake Doug Isenberg (disenberg@GigaLaw.com):
OK, now that the district court issued its injunction against Napster, we
know that the service will be required to block the transmission of MP3
files where the file names match those provided by the music industry
plaintiffs. I still think this is a far-from-foolproof solution and will
allow many songs to slip through.
I've been told that songs on CDs are encoded with a unique "hash" code and
that the code could be used to identify files. I'm trying to understand
this technology better and admit the preceding sentence may not be
technically accurate! Can anyone comment on this and/or provide resources
for background on the technology?
Doug Isenberg, Esq.
Editor & Publisher, GigaLaw.com (http://www.GigaLaw.com)
There's two ways to be pro-Napster. You can believe that it's appropriate and legal for private citizens to give each other unlimited copies of copyright-protected works. You'll have a hard time finding "respectable" people to defend this position.
Or, you can believe that there are some legitimate uses of file-sharing as well as illegitimate ones, and that there's no effective way to prevent the bad uses without unacceptably interfering with the good ones. Under this logic, Napster, Inc. should not be restricted, but law enforcement and copyright-holders have every right to go after people who are misusing Napster. You can probably find a lot of people to support the latter position. Search the web for recent comments from Lawrence Lessig, for example. Lessig is associated with Harvard Law School, and is the former chair of the Berkman Center for Internet and Society there.
Also look at the archives of the GigaLaw mailing list at gigalaw.com for a lot of discussion of this issue by people more qualified than myself.
Even better, perhaps there would be a metaphorical culling of the herd in which the worthless would die off and the worthwhile live on. Who could object to that? Even if your theories are valid (and I'm not at all sure that they are) the end result looks good to me.
Below is the full text of a letter I sent to fortune magazine, expressing my opinion of this idiocy.:
To Whom it May Concern,
Mr. Dvorak's column is largely erronious in both fact and interpretation. On points of fact, the TiVo device does not necessarily cost $500, but is available for $300. It is also not difficult to use.
Of greater significance are the errors of interpretation. Mr. Dvorak evidently believes that it is only lawful to watch television in the manner and at the time intended by the broadcasters. The courts have repeatedly held that this is not the case. One need only look at Sony vs. Universal (1983) for an example. The humble VCR does all of the things which Dvorak finds objectionable: It allows the viewer to record shows, watch them at the time and place of their choosing and watch as much or as little of the show as they wanted, including the ability to easily not watch commercials. It even allows shows to be watched repeatedly, and video tapes can be given away or sold, albeit illegally.
The only difference with the TiVo is that it does these things electronically (which seems to be inherently scary), and that one can watch a show at the same time one is recording it, so that the time-delay is reduced.
Mr. Dvorak appears to believe that because media producers include advertisements with their programming, the viewer is legally or morally obliged to watch them. This is clearly not so. Such stalwart mechanisms as newspapers and magazines have allowed readers to "turn the page" and thereby avoid advertizements. Even so, these are often distributed at no charge, despite having a much higher per-recipient cost than television. For that matter, viewers have always had the legal right to turn off or ignore their televisions during commercials.
There seems to be a belief among many intelectual property commentators, including Mr. Dvorak, that the law ought to guarantee the continued profitability of any business model that is currently succesfull. If the technological or social environment reduces the profitability of a given industry, that industry is not necessarily a victim deserving of reparations. Imagine the world today if the Horsbreeders Association of America had succesfully sued automobile manufacturers for damages and gained an injunction against their manufacure?
--
The above opinions are my own, and not those of my employer
nor any other reasonable individual.
Eric Anderson
Department of Mathematics and Computer Science
Carleton College, Northfield MN
eric@ericanderson.org
anderser@carleton.edu
There's been a lot of discussion of various ways to encrypt drives for protection, and also of ways to cause drives to self-destruct. The problem with the encryption systems is maintaining the secrecy of the key, when the attacker has access to all the hardware and software. The problem with the self-destruct systems is keeping things sufficiently controlled to destroy the data but not hurt anyone.
The following synthesis makes sense to me: Have the drive encrypted with a symetric-key cipher. Have the key stored in NVRAM or some equivalent. In normal operation, the encryption and decryption is handled transparently. either by software drivers, or (better yet) by the drive controller itself. Because no person needs to know the key, it can be truly random and long enough. To activate the self-destruct, simply erase the key. I don't know much about NVRAM, but I imagine that it is possible to "wipe" it sufficiently that the data can't be recovered. If not, this idea would have to be modified.
In the best-case scenario, all of this functionality is integrated into the drive controller, so that data is encrypted before it's sent to the disk, and decrypted before it's returned to the system bus. This makes life easier for everyone since the encrypted drive system looks just like a normal IDE (or SCSI) system from the outside. More importantly, it means that the key can be stored inside the controller card, and never needs to be made available to any other hardware or software. This minimizes the risk of key compromize, even by a malicious user.
The card would have to support an instruction (or physical connection) whereby it could be signalled to self-destruct. This could be activated by LoJack-style equipment, or what have you.
Once the key's truly erased, the contents of the drive become totally unusable.
For it to be dishonest you must be misleading someone. If you make explicitly false claims, that's obviously dishonest. Further, there are some implied claims (such as that work with your name on it is your own) which you have a responsibility to explicitly contradict if they're false.
As long as you give proper attribution anywhere you use or reference others' work, that's honest. In some cases, the requirements of the assignment may require that you not use certain sorts of sources. If you fail to comply with that restriction, but give proper attribution, then you're not being dishonest, you're just failing to do the assigment as specified. This would be grounds for a poor grade, but not for academic dishonesty charges.
I disagree with you about about point #1, but I agree about #2, #3 and to a lesser extent #4.
I think point 1 is not relevent because the issue is whether or not the accused company is aiding infringement, not comitting it itself. And for what it's worth, fax, telephone and mail are archetypally peer to peer.
What you say in #2 is correct, it's logical, it's common sense. But the problem is that it's not (as far as I can tell) in the law. Nothing in the text of the circuit court's decision or von Lohmann's article explicitly mentions how large a portion of a company's revenue comes from infringing users - only the fact that any of it does.
Point #3 illustrates precisely the hypocrisy I'm objecting to: If two people communicate over the phone or through mail, the law protects their privacy by forbidding monitoring. If the same people communicate through a computer service, it seems that the law attacks their privacy by requiring monitoring. The right to communicate privately deserves the same degree of protection regardless of the technology involved.
Point #4: Again you're right. But what's the standard of cooperation here? It's one thing to say that when law enforcement find evidence of a crime that the communication provider release relevant information to them. This is what the postal and phone services do. It's quite another to require that the provider actively monitor and attempt to prevent the misuse of it's systems. That's what's being expected in the peer-to-peer system.
The upshot of all of this is that a company building communications systems needs to know that if they're not encouraging illegal use of their system that they're also not responsible for going to rediculous lengths to prevent it.
This confuses me considerably: It seems that the upshot is this:
1. If you profit from the copyright infringement of your users, you're potentially liable for vicarious infringement.
2. If you have an even vaugely sane business model, you will in some way benefit from having users.
3. Any service capable of moving information or material goods can be used for copyright infringement.
4. Given a reasonably large user base, it's certain that at least some of your users will engage in copyright infringement.
From 3 and 4 we can conclude that any system for moving data or physical material will be used for direct copyright infringement.
Combining this with point 2, we must conclude that any business which is based on moving matter or data benefits indirectly from copyright infringement.
Considering now point 1, we reach the conclusion that any business which allows customers to move data or matter is potentially liable for contributory or vicarious copyright infringement.
The existence of non-infringing uses may get you off the hook for contributory infringement, but not vicarious.
To avoid liability for vicarious infringement, the business must either have no right or ability to control customers actions, or must actively and thoroughly police its users.
So we have the logical conclusion: Any business which allows customers to move matter or data, and has even so much control as the ability to refuse service, must monitor the activites of its customers or else be guilty of vicarious copyright infringement.
So why isn't the Postmaster General doing time? How about the phone system? What about the protections afforded "common carriers"? What about the idea that citizens have a right NOT to be monitored? If it were applied to the phone system, this reasoning would not only allow but require that everyone's phone be wiretapped all the time.
If these conclusions are not correct, then wherein lies the flaw?
It's worth noting that Bugger has a few other meanings than "One who plants bugs."
I agree, with one caveat: You imply that there is no advantage to marking all traffic as high priority. This is true, because it is the relative priorities of different data-streams that effects transfer rate, not their absolute prioritites. But, while there is no advantage to marking all traffic as high priority, there is an advantage to any specific user to mark all THEIR traffic as high, as long as it is competing with traffic from other users.
You would need to in some way change things so that no user can gain an advantage over the others. I don't know how you whould do that...
I'd love a chance to tinker with one of these. If anybody has one and is thinking of sending it back, I'll pay $25 in real cash, and pay for shipping.
Not exactly big money, but it's the same ammount Virgin's offering, and it actual currency rather than a gift certificate. If you're going to send it off anyway, why not give it to a good cause (my entertainment). I even promise to post anything interesting I discover.
eanderso at usa dot net