TPMs only have to demonstrate that some effort has to be expended to circumvent them, i.e. that they are a protection mechanism (no matter how easily the lock may be picked with a tool readily available on the black market).
I expect it will also help magnify the crime of circumvention in the judge's eyes when it is explained just how expensive the R&D was that went into developing AACS. No-one will point out that such R&D was a priori doomed at the outset (and comparable to R&D into perpetual motion devices).
People say the system is secure unless you have the pin and the card.
I've simply shown that that isn't the case. You only need the pin and the chip. The punter is happy to keep just the card - for a while.
The obvious scam of making a fake card reader that duplicates the magnetic strip given a PIN and card has already been done.
Making a fake card reader that steals the chip is just a matter of time.
A lesser criminal may even attempt stealing the card and returning an embossed photocopy (very risky).
Or even selling fake lottery tickets in a street stall next to an ATM. This is a cinch. Ask punter to insert card, whirr, whirr, enter PIN, whirr whirr, beep beep, take device, swap with dummy card, meanwhile accomplice whizzes to ATM withdraws a ton of dosh, comes back with card, seller waves machine around with dummy card in it, apologies for the slow modem connection, as the 'approved' beep occurs and gives forged lottery tickets and real card back to card holder.
If you're going to remove 1,200 chips from 1,200 cards in 600 minutes (1 machine shared by two staff) at about $1,000 per card, in several locations, there might just be enough of a budget to build a machine that presses the chip-circuit out of the card, scrapes it, and replaces a fake circuit. And yes, the card goes in the machine, the punter enters a PIN, the machine says 'Approved', [clunk], and out pops the card with a slightly shinier set of brass pads. The original chip can still be used to perform the legitimate purchase if desired.
It's these 'unthinkable' but eminently possible scenarios that end up getting exploited.
You spend so much effort on securing the electronic communication channels that you lose sight of the fact that two human beings are handing each other blackboxes, piecs of plastic and magic numbers without a clue as to what the hell is going on.
The harder fraud appears to be, the bigger the frauds will be.
In other words, the greater the confidence participants have in the security of a system, the less vigilant they are to notice anomalies and suspect potential fraud.
Banks/merchants/punters: doesn't matter who the buck ends up with, we're talking about whether the system has an achilles heel due to the reader not being authenticated to the holder.
All that happens is that thousands of card holders have fraudulent withdrawals and purchases charged to their card.
Assuming the magnetic strip is disabled (preventing extremely easy harvesting)...
All you need to get money out of a hole in the wall is the CHIP and the PIN and a fake card. You do not need the original card or the card holder. To get money from another merchant, you also need a reasonably convincing fake card (the merchant doesn't care whether it's Lloyds or Spondulicks). I doubt card readers do a visual check of the card they read...
So, yes, remove the chip from the card without the punter noticing it's been scraped off and replaced by something apparently identical (the card holder is not a card reader, and it will be an hour or so down the motorway at another service station before they discover the card is malfunctioning). And a motorway service station handles a heck of a lot of customers in a hurry.
Tell me how the card reader authenticates itself to the card holder?
It's a black box that could be made by Nickem&Grabem Inc. just as easily as NCR.
It's breathtaking just how blind this spot truly is - and how difficult it is to bring it to people's attention (who should know better).
I once asked a Microsoft speaker at a conference how a user could tell that the OS installed on a PC was actually MS Windows and not an OS that merely appeared to be MS Windows. I mean, I wouldn't want to type my password in to any old OS login screen...
1) The plastic of the card is malleable 2) The chip is a thin surface layer 3) A punch & die need only depress the area of the card to raise the chip circuit to be scraped off. 4) A suitable fake circuit can then be pressed back on the card, and the distortion undone. 5) Punter walks off none the wiser.
Yup. This all comes from a highly entrenched "We own the hardware, therefore the only authentication required is to authenticate the client".
Same syndrome with websites being vulnerable to phishing.
Authentication has to be TWO-WAY.
The punter has to authenticate themselves to the bank - AND the bank has to authenticate themselves to the punter.
The punter is an incredibly intelligent being and yet they're being deliberately treated as a 4 digit number (not even a dumb terminal). Such a colossal waste of CPU power that could have otherwise assisted in the authentication process.
This is irrelevant. These standards only apply to bonafide card readers.
Fraudsters may observe standards, but they gleefully ignore them if it suits their purposes.
How is any member of a merchant's staff trained to inspect their black box and determine whether it complies with standards?
And remind me where I can read a bank's guidelines to its customers as to how they should refuse to use a card reader if it looks like it may have been opened recently? Moreover, is there a photo gallery of all the known legitimate devices?
A fraudster probably loves the tamper resistant requirement because it means no-one expects to be able to open them up to look for radio transmitters, etc.
"Put your card into a black box, any box, and enter your PIN - yes, that number that we always tell you never to reveal to anyone, even your wife".
At least the card reader should have been required to say "Hello Mr A Person" plus a detail only obtainable via the EMV chip (a favourite colour). Then people would have a tadette of confidence that the machine could read their card properly.
But, yes, you're absolutely right. Tons of punters are being trained to pay absolutely no regard to the nature of the device into which their card is placed, nor whether the device and/or card is removed from sight.
Even once the mag strip is discontinued there's still another scam: Make a device that captures the PIN, punches out the chip and returns the card without chip. If you install this at a petrol station on a motorway you can capture several hundred chips before the scam is revealed. Each chip can be re-inserted in a new card and cashed out at a nearby ATM or, if the new card looks good, a jewellery shop, etc.
If you want to dedicate a work to the public such that the public is at liberty to enjoy and build upon that work and all published derivatives of it, then you need a license such as the GPL.
If you simply neutralise copyright's restrictions for the licensee, then the licensee can once again use copyright to suspend the public's liberty to their published derivatives.
The term 'social contract' sounds like it might be a contract, because it has the word 'contract' in it, however simply because some scholars use it to describe copyright does not actually make copyright a contract. Copyright remains a state granted monopoly to publishers - and since we're all now publishers this has the effect of suspending the public's liberty.
Similarly, the term 'copyright' sounds like it might be a human right because it has the word 'right' in it, however it is not a right, but a state granted privilege.
Human rights are not granted or created by the state, but protected by the state. Laws are created to protect these rights, e.g. speed limits.
Giving an exclusive monopoly over the duplication or modification of binary digits to the publisher is a commercial incentive at the expense of the public's liberty. This is unethical.
As to your NDA hypothetical, yes, I believe such things should be respected in so far as it is practicable. However, while a 3rd party may accede to a C&D use/disclosure of information they believed they had legitimately received from the 2nd party, I don't think the 3rd party is obliged to seek recovery from 4th parties (still up to the 1st party), etc.
The point about a contract is that it is willingly agreed to.
The point about human culture is that the suspension of the public's liberty to share and build upon it was never agreed to by the public, but by a small cartel of commercial publishers. It is only with the advent of the Internet that would be self-publishers are noticing this suspension of their liberty.
As to whether the GPL imposes on your rights to privacy and freedom to use DRM. I don't believe it does. Please let me know how you think it does?
All the GPL requires is that if you choose to publish a derivative that you do not obfuscate the work, i.e. you provide the source code. You are still free to publish the derivative in binary or encrypted form with any number of digital certificates demonstrating and/or protecting your rights and those of the recipient. However, GPLv3 will also require that you nullify the draconian provisions of the DMCA.
The GPL does not compel you to publish your derivative works. And if you do decide to publish them, you can charge any amount of money for them.
In order to nullify copyright restricting the public, a publisher must provide a license that restores the liberties copyright suspends, and in order that these liberties are preserved for all licensees must require that each licensee provide the same license. This is because copyright can otherwise be re-applied to once again suspend the public's liberty (as permitted by the BSD).
Copyright is not a contract. A contract is an agreement entered into willingly by both parties. If copyright were abolished tomorrow you'd still be able to contract a purchaser of a copy of your work to an NDA.
Liberty is that which remains after human rights, i.e. the rights to life, privacy, and truth. That means that liberty does not trump the right to privacy.
If you sell a copy of your digital art to someone without contract then that person is at liberty to do with it as they will. Of course, that doesn't include impairing truth, e.g. misattributing your work as their own.
The GPL restores the liberty suspended by copyright/DMCA and patents, and does not impose upon anyone's rights to truth, privacy, or life.
Your 'additional legal tool' in the form of copyright and patents constitutes the suspension of the public's liberty to enjoy and build upon published works - and in the case of patents, even to create works that coincidentally involve reinvention.
Liberty is not a right to suspend someone else's liberty. The tautology is thinking otherwise.
Until copyright is abolished, one cannot ignore it as it applies by default. One therefore has to utilise a license that nullifies copyright, that grants the licensee liberty on condition they preserve that liberty.
In the absence of copyright and the GPL, source code can be obtained via purchase. Because liberty has been restored, the purchasers of this source code are free to reproduce it and resell it, or even to build upon it.
There is no need to create any new law to oblige disclosure of source code or private modifications. The author is entitled to exploit these privately, offer them for sale, or rental, and even disclose them subject to NDA.
Liberty is the removal of unethical forces imposed on the public by copyright and patents.
The last thing liberty does is to 'force' anyone to do anything.
The GPL does not compel you to publish your private intellectual property.
If copyright were abolished you would retain the natural right to publish binaries without needing to release source code to them. This would of course be perfectly fine and fair.
It is only in the presence of copyright that there is any need to prevent obfuscation as a means of circumventing the GPL's requirement that published derivatives are also subject to the GPL.
If you deliver your work to the public, the public have a right to enjoy it.
If you don't want the public to have your work, don't deliver it to them - keep it private.
That's the natural law.
Copyright and patents are unnatural impositions on the public's liberty as economic incentives to the publisher. However, these incentives are unethical. Moreover, given the arrival of the instantaneous diffusion device known as the Internet, they are also ineffective. That's the double whammy that signals their imminent demise.
The ethical arguments aren't new, they're simply reappearing as a sweetener to make the bitter pill of reality easier to take.
Copyright and patents aren't destroyed by argument, but by rejection.
The GPL is only effective against those who stubbornly believe in copyright and patents. Without copyright and patents there is no need for the GPL to exist.
The liberty the GPL attempts to restore is nothing more nor less than the liberty suspended by copyright, patents and the DMCA.
We are talking about a reversion to the liberty we had a hundred or so years ago before printers thought it might be a good idea if there was a gentleman's agreement not to reprint each other's publications.
Just because you can make money by suspending the public's liberty and selling it back doesn't make it an ethically sound thing to do.
Originally, there were a few printers, and few gave a damn whether printers were happy to surrender their own liberty to steamline their revenue models (the public at the time were pretty much unaffected). Unfortunately, we are all printers today, and all subject to the laws designed for an earlier era.
There's nothing wrong with creating, owning or selling intellectual property. The wrong is in believing that you should continue to own it even after you've sold it or published it.
That's the point I was obliquely trying to make, i.e. that those who prefer 'GPLv2 only' probably do not have the public's liberty uppermost in their mind, but rather an eye toward potential revenue models on the horizon that rely on its suspension (patents/DMCA).
"Freedom of the licensee to suspend the public's liberty" vs "freedom of the public" can be confusing. I get tripped up over it myself (as I did in my post above).
You've got to be eternally vigilant in holding uppermost in your mind that the freedom provided by the GPL is not to a specific licensee, but to all licensees of all published copies and all published derivatives.
Hence, a license for the general public that restores to it the freedoms otherwise suspended by copyright, patents and the DMCA.
The BSD neutralises copyright, whereas the GPL nullifies it.
The GPL restores liberty to the public, whereas the BSD restores it only to first generation licensees.
A later version cannot reduce the licensee's liberty, but yes, I suppose it could reduce the obligations imposed on the licensee to preserve liberty for their licensees.
However, that would indicate that FSF had completely lost the plot - no sign of that so far.
So, yes, I will concede that a later version of the GPL could end up reducing the PUBLIC's liberty (even if it cannot reduce the licensee's liberty).
Given the GPLv3 (however it's written) cannot reduce the liberty provided by the GPLv2, one can only imagine that those who cross out "or later" are fearful that the public may be given more liberty by the GPLv3 than they'd prefer them to have.
What kind of liberties are there to be afraid of?
The GPLv3 can only restore the liberties suspended by copyright, patents, and the DMCA. It cannot grant any additional liberties, e.g. to inspect the publisher's premises, or to sleep with its CEO's daughter, etc.
That's right. Anal retentive publishers using the DMCA restrict themselves and their art into obscurity, whilst libertarian artists emancipate their fans, proliferate their art, and reap the audience adulation.
If you don't want the public to have your art, don't publish it.
The notion that the artist has a human right to prevent their published art being copied is a myth - it is, and always has been, an artifical monopoly created out of incumbent commercial interest.
If artists wish compensation, there's nothing stopping them making a deal with their audience directly: Art for money, money for art. This does not require copyright, patents or the DMCA.
It is possible, no matter how improbable, that one may be interested to frame one's alleged assassins for one's own assassination - especially if you have mistaken the significance of your own obsession as equivalent to the significance of your assassination.
I am waiting to hear of one place where Po210 has been found that Litvinenko has not himself already visited.
If an assassination, it is strange that Po210 has been found in places other than on Litvinenko, and only in places that he visited. One would assume an assassin would be careful to only leave traces where it was useful to leave traces - presumably nowhere apart from the victim.
I suspect all crime novelists from Agatha Christie to John Le Carré are laughing their heads off at how transparent the whole thing truly is.
If Litvinenko had anything truly incriminating to say, he would have been silenced a little more abruptly...
I suspect the manner of his death speaks louder than any words he had to say (whether assassinated or not).
MS is an advocate of private rights to its published software - even in your private domain.
Open Source is an advocate of source code visibility in published software.
FSF is an advocate of the public's freedom to published software.
The only one of the above opposed to privacy is MS, who still requires that purchasors of its software not be permitted to make private copies or derivatives of its software - and it demands the right to 'audit' your private premises to assert this.
As far as the GPL is concerned there is no constraint on what you get up to privately, nor compulsion to publish your private modifications. Some people mistake protection against obfuscation as a compulsion to publish modifications. This is not the case. The GPL simply requires that if you are publishing a GPL derivative that you do not obfuscate it (publish a binary derivative without source code).
There are other movements such as the Gift Economists who do require that all private modifications are surrendered free of charge to remote users. Appropriate licenses are the APL and HPL. These require continuous publication of source code and thus prevent private modification. Copyright's prohibition of private derivatives is used to enforce this.
PUBLISHERS thought monopolistic privileges were a good idea, and governments were happy to oblige.
However, we don't need publishers for digital art, so there's no point creating artificial monopolies on its reproduction.
The traditional publishers don't like this.
The new publishers (all Internet users) may sympathise, but it's a very big leap to conclude that society supports copyright on digital works.
Q1) Given it helps struggling artists pay their bills and save up to start a family, do you support copyright? A1) Oh yes.
Q2) Have you ever lent a copyrighted work to a friend without tracking down the poor artist concerned to ask for their permission? A2) Er....
Q3) Have you ever borrowed a copyrighted work from a friend without tracking down the poor artist concerned to ask for their permission? A3) Er....
Q4) Have you ever made a copy of a copyrighted work without tracking down the poor artist concerned to ask for their permission? A4) Er....
Q5) Have you ever downloaded a copyrighted work without tracking down the poor artist concerned to ask for their permission? A5) Er....
Q6) Have you ever used BitTorrent to obtain a copyrighted work without tracking down the poor artist concerned to ask for their permission? A6) Er....
Q7) Have you ever used a file sharing program and left a copyrighted work in your share folder without tracking down the poor artist concerned to ask for their permission? A7) Er....
Q8) Have you ever modified a copyrighted work without tracking down the poor artist concerned to ask for their permission? A8) Er....
Q9) Have you ever published a modified copyrighted work without tracking down the poor artist concerned to ask for their permission? A9) Er....
Q10) Do you persist in declaring your support for copyright? A10) Er....yes?
Slashdot Mirror
Yup, that's why we have the DMCA.
TPMs only have to demonstrate that some effort has to be expended to circumvent them, i.e. that they are a protection mechanism (no matter how easily the lock may be picked with a tool readily available on the black market).
I expect it will also help magnify the crime of circumvention in the judge's eyes when it is explained just how expensive the R&D was that went into developing AACS. No-one will point out that such R&D was a priori doomed at the outset (and comparable to R&D into perpetual motion devices).
DRM is not the problem. DMCA is the problem.
Pay for art, not for copies.
That's $1.2m per location (motorway garages say).
Logistics is effort, not security.
People say the system is secure unless you have the pin and the card.
I've simply shown that that isn't the case. You only need the pin and the chip. The punter is happy to keep just the card - for a while.
The obvious scam of making a fake card reader that duplicates the magnetic strip given a PIN and card has already been done.
Making a fake card reader that steals the chip is just a matter of time.
A lesser criminal may even attempt stealing the card and returning an embossed photocopy (very risky).
Or even selling fake lottery tickets in a street stall next to an ATM. This is a cinch. Ask punter to insert card, whirr, whirr, enter PIN, whirr whirr, beep beep, take device, swap with dummy card, meanwhile accomplice whizzes to ATM withdraws a ton of dosh, comes back with card, seller waves machine around with dummy card in it, apologies for the slow modem connection, as the 'approved' beep occurs and gives forged lottery tickets and real card back to card holder.
If you're going to remove 1,200 chips from 1,200 cards in 600 minutes (1 machine shared by two staff) at about $1,000 per card, in several locations, there might just be enough of a budget to build a machine that presses the chip-circuit out of the card, scrapes it, and replaces a fake circuit. And yes, the card goes in the machine, the punter enters a PIN, the machine says 'Approved', [clunk], and out pops the card with a slightly shinier set of brass pads. The original chip can still be used to perform the legitimate purchase if desired.
It's these 'unthinkable' but eminently possible scenarios that end up getting exploited.
You spend so much effort on securing the electronic communication channels that you lose sight of the fact that two human beings are handing each other blackboxes, piecs of plastic and magic numbers without a clue as to what the hell is going on.
The harder fraud appears to be, the bigger the frauds will be.
In other words, the greater the confidence participants have in the security of a system, the less vigilant they are to notice anomalies and suspect potential fraud.
Banks/merchants/punters: doesn't matter who the buck ends up with, we're talking about whether the system has an achilles heel due to the reader not being authenticated to the holder.
All that happens is that thousands of card holders have fraudulent withdrawals and purchases charged to their card.
Assuming the magnetic strip is disabled (preventing extremely easy harvesting)...
All you need to get money out of a hole in the wall is the CHIP and the PIN and a fake card. You do not need the original card or the card holder. To get money from another merchant, you also need a reasonably convincing fake card (the merchant doesn't care whether it's Lloyds or Spondulicks). I doubt card readers do a visual check of the card they read...
So, yes, remove the chip from the card without the punter noticing it's been scraped off and replaced by something apparently identical (the card holder is not a card reader, and it will be an hour or so down the motorway at another service station before they discover the card is malfunctioning). And a motorway service station handles a heck of a lot of customers in a hurry.
You've got the same blind spot.
Tell me how the card reader authenticates itself to the card holder?
It's a black box that could be made by Nickem&Grabem Inc. just as easily as NCR.
It's breathtaking just how blind this spot truly is - and how difficult it is to bring it to people's attention (who should know better).
I once asked a Microsoft speaker at a conference how a user could tell that the OS installed on a PC was actually MS Windows and not an OS that merely appeared to be MS Windows. I mean, I wouldn't want to type my password in to any old OS login screen...
"Next question".
1) The plastic of the card is malleable
2) The chip is a thin surface layer
3) A punch & die need only depress the area of the card to raise the chip circuit to be scraped off.
4) A suitable fake circuit can then be pressed back on the card, and the distortion undone.
5) Punter walks off none the wiser.
Yup. This all comes from a highly entrenched "We own the hardware, therefore the only authentication required is to authenticate the client".
Same syndrome with websites being vulnerable to phishing.
Authentication has to be TWO-WAY.
The punter has to authenticate themselves to the bank - AND the bank has to authenticate themselves to the punter.
The punter is an incredibly intelligent being and yet they're being deliberately treated as a 4 digit number (not even a dumb terminal). Such a colossal waste of CPU power that could have otherwise assisted in the authentication process.
What evidence is the cardholder given that the card reader ever actually bothered communicating with the card?
This is irrelevant. These standards only apply to bonafide card readers.
Fraudsters may observe standards, but they gleefully ignore them if it suits their purposes.
How is any member of a merchant's staff trained to inspect their black box and determine whether it complies with standards?
And remind me where I can read a bank's guidelines to its customers as to how they should refuse to use a card reader if it looks like it may have been opened recently? Moreover, is there a photo gallery of all the known legitimate devices?
A fraudster probably loves the tamper resistant requirement because it means no-one expects to be able to open them up to look for radio transmitters, etc.
"Put your card into a black box, any box, and enter your PIN - yes, that number that we always tell you never to reveal to anyone, even your wife".
At least the card reader should have been required to say "Hello Mr A Person" plus a detail only obtainable via the EMV chip (a favourite colour). Then people would have a tadette of confidence that the machine could read their card properly.
But, yes, you're absolutely right. Tons of punters are being trained to pay absolutely no regard to the nature of the device into which their card is placed, nor whether the device and/or card is removed from sight.
Even once the mag strip is discontinued there's still another scam:
Make a device that captures the PIN, punches out the chip and returns the card without chip. If you install this at a petrol station on a motorway you can capture several hundred chips before the scam is revealed. Each chip can be re-inserted in a new card and cashed out at a nearby ATM or, if the new card looks good, a jewellery shop, etc.
If you want to dedicate a work to the public such that the public is at liberty to enjoy and build upon that work and all published derivatives of it, then you need a license such as the GPL.
If you simply neutralise copyright's restrictions for the licensee, then the licensee can once again use copyright to suspend the public's liberty to their published derivatives.
The term 'social contract' sounds like it might be a contract, because it has the word 'contract' in it, however simply because some scholars use it to describe copyright does not actually make copyright a contract. Copyright remains a state granted monopoly to publishers - and since we're all now publishers this has the effect of suspending the public's liberty.
Similarly, the term 'copyright' sounds like it might be a human right because it has the word 'right' in it, however it is not a right, but a state granted privilege.
Human rights are not granted or created by the state, but protected by the state. Laws are created to protect these rights, e.g. speed limits.
Giving an exclusive monopoly over the duplication or modification of binary digits to the publisher is a commercial incentive at the expense of the public's liberty. This is unethical.
As to your NDA hypothetical, yes, I believe such things should be respected in so far as it is practicable. However, while a 3rd party may accede to a C&D use/disclosure of information they believed they had legitimately received from the 2nd party, I don't think the 3rd party is obliged to seek recovery from 4th parties (still up to the 1st party), etc.
The point about a contract is that it is willingly agreed to.
The point about human culture is that the suspension of the public's liberty to share and build upon it was never agreed to by the public, but by a small cartel of commercial publishers. It is only with the advent of the Internet that would be self-publishers are noticing this suspension of their liberty.
As to whether the GPL imposes on your rights to privacy and freedom to use DRM. I don't believe it does. Please let me know how you think it does?
All the GPL requires is that if you choose to publish a derivative that you do not obfuscate the work, i.e. you provide the source code. You are still free to publish the derivative in binary or encrypted form with any number of digital certificates demonstrating and/or protecting your rights and those of the recipient. However, GPLv3 will also require that you nullify the draconian provisions of the DMCA.
The GPL does not compel you to publish your derivative works. And if you do decide to publish them, you can charge any amount of money for them.
In order to nullify copyright restricting the public, a publisher must provide a license that restores the liberties copyright suspends, and in order that these liberties are preserved for all licensees must require that each licensee provide the same license. This is because copyright can otherwise be re-applied to once again suspend the public's liberty (as permitted by the BSD).
Copyright is not a contract. A contract is an agreement entered into willingly by both parties. If copyright were abolished tomorrow you'd still be able to contract a purchaser of a copy of your work to an NDA.
Liberty is that which remains after human rights, i.e. the rights to life, privacy, and truth. That means that liberty does not trump the right to privacy.
If you sell a copy of your digital art to someone without contract then that person is at liberty to do with it as they will. Of course, that doesn't include impairing truth, e.g. misattributing your work as their own.
The GPL restores the liberty suspended by copyright/DMCA and patents, and does not impose upon anyone's rights to truth, privacy, or life.
Your 'additional legal tool' in the form of copyright and patents constitutes the suspension of the public's liberty to enjoy and build upon published works - and in the case of patents, even to create works that coincidentally involve reinvention.
Liberty is not a right to suspend someone else's liberty. The tautology is thinking otherwise.
Until copyright is abolished, one cannot ignore it as it applies by default. One therefore has to utilise a license that nullifies copyright, that grants the licensee liberty on condition they preserve that liberty.
In the absence of copyright and the GPL, source code can be obtained via purchase. Because liberty has been restored, the purchasers of this source code are free to reproduce it and resell it, or even to build upon it.
There is no need to create any new law to oblige disclosure of source code or private modifications. The author is entitled to exploit these privately, offer them for sale, or rental, and even disclose them subject to NDA.
Liberty is the removal of unethical forces imposed on the public by copyright and patents.
The last thing liberty does is to 'force' anyone to do anything.
The GPL does not compel you to publish your private intellectual property.
If copyright were abolished you would retain the natural right to publish binaries without needing to release source code to them. This would of course be perfectly fine and fair.
It is only in the presence of copyright that there is any need to prevent obfuscation as a means of circumventing the GPL's requirement that published derivatives are also subject to the GPL.
If you deliver your work to the public, the public have a right to enjoy it.
If you don't want the public to have your work, don't deliver it to them - keep it private.
That's the natural law.
Copyright and patents are unnatural impositions on the public's liberty as economic incentives to the publisher. However, these incentives are unethical. Moreover, given the arrival of the instantaneous diffusion device known as the Internet, they are also ineffective. That's the double whammy that signals their imminent demise.
The ethical arguments aren't new, they're simply reappearing as a sweetener to make the bitter pill of reality easier to take.
Copyright and patents aren't destroyed by argument, but by rejection.
The GPL is only effective against those who stubbornly believe in copyright and patents. Without copyright and patents there is no need for the GPL to exist.
FallLine,
The liberty the GPL attempts to restore is nothing more nor less than the liberty suspended by copyright, patents and the DMCA.
We are talking about a reversion to the liberty we had a hundred or so years ago before printers thought it might be a good idea if there was a gentleman's agreement not to reprint each other's publications.
Just because you can make money by suspending the public's liberty and selling it back doesn't make it an ethically sound thing to do.
Originally, there were a few printers, and few gave a damn whether printers were happy to surrender their own liberty to steamline their revenue models (the public at the time were pretty much unaffected). Unfortunately, we are all printers today, and all subject to the laws designed for an earlier era.
There's nothing wrong with creating, owning or selling intellectual property. The wrong is in believing that you should continue to own it even after you've sold it or published it.
That's the point I was obliquely trying to make, i.e. that those who prefer 'GPLv2 only' probably do not have the public's liberty uppermost in their mind, but rather an eye toward potential revenue models on the horizon that rely on its suspension (patents/DMCA).
"Freedom of the licensee to suspend the public's liberty" vs "freedom of the public" can be confusing. I get tripped up over it myself (as I did in my post above).
You've got to be eternally vigilant in holding uppermost in your mind that the freedom provided by the GPL is not to a specific licensee, but to all licensees of all published copies and all published derivatives.
Hence, a license for the general public that restores to it the freedoms otherwise suspended by copyright, patents and the DMCA.
The BSD neutralises copyright, whereas the GPL nullifies it.
The GPL restores liberty to the public, whereas the BSD restores it only to first generation licensees.
A later version cannot reduce the licensee's liberty, but yes, I suppose it could reduce the obligations imposed on the licensee to preserve liberty for their licensees.
However, that would indicate that FSF had completely lost the plot - no sign of that so far.
So, yes, I will concede that a later version of the GPL could end up reducing the PUBLIC's liberty (even if it cannot reduce the licensee's liberty).
Given the GPLv3 (however it's written) cannot reduce the liberty provided by the GPLv2, one can only imagine that those who cross out "or later" are fearful that the public may be given more liberty by the GPLv3 than they'd prefer them to have.
What kind of liberties are there to be afraid of?
The GPLv3 can only restore the liberties suspended by copyright, patents, and the DMCA. It cannot grant any additional liberties, e.g. to inspect the publisher's premises, or to sleep with its CEO's daughter, etc.
That's right. Anal retentive publishers using the DMCA restrict themselves and their art into obscurity, whilst libertarian artists emancipate their fans, proliferate their art, and reap the audience adulation.
If you don't want the public to have your art, don't publish it.
The notion that the artist has a human right to prevent their published art being copied is a myth - it is, and always has been, an artifical monopoly created out of incumbent commercial interest.
If artists wish compensation, there's nothing stopping them making a deal with their audience directly: Art for money, money for art. This does not require copyright, patents or the DMCA.
It is possible, no matter how improbable, that one may be interested to frame one's alleged assassins for one's own assassination - especially if you have mistaken the significance of your own obsession as equivalent to the significance of your assassination.
I am waiting to hear of one place where Po210 has been found that Litvinenko has not himself already visited.
If an assassination, it is strange that Po210 has been found in places other than on Litvinenko, and only in places that he visited. One would assume an assassin would be careful to only leave traces where it was useful to leave traces - presumably nowhere apart from the victim.
I suspect all crime novelists from Agatha Christie to John Le Carré are laughing their heads off at how transparent the whole thing truly is.
If Litvinenko had anything truly incriminating to say, he would have been silenced a little more abruptly...
I suspect the manner of his death speaks louder than any words he had to say (whether assassinated or not).
MS is an advocate of private rights to its published software - even in your private domain.
Open Source is an advocate of source code visibility in published software.
FSF is an advocate of the public's freedom to published software.
The only one of the above opposed to privacy is MS, who still requires that purchasors of its software not be permitted to make private copies or derivatives of its software - and it demands the right to 'audit' your private premises to assert this.
As far as the GPL is concerned there is no constraint on what you get up to privately, nor compulsion to publish your private modifications. Some people mistake protection against obfuscation as a compulsion to publish modifications. This is not the case. The GPL simply requires that if you are publishing a GPL derivative that you do not obfuscate it (publish a binary derivative without source code).
There are other movements such as the Gift Economists who do require that all private modifications are surrendered free of charge to remote users. Appropriate licenses are the APL and HPL. These require continuous publication of source code and thus prevent private modification. Copyright's prohibition of private derivatives is used to enforce this.
Apart from a few dusty 78rpm shellacs, pretty much all music recordings are copyrighted, so MySpace is going to find itself pretty barren.
Ahem. Society never had anything to do with it.
PUBLISHERS thought monopolistic privileges were a good idea, and governments were happy to oblige.
However, we don't need publishers for digital art, so there's no point creating artificial monopolies on its reproduction.
The traditional publishers don't like this.
The new publishers (all Internet users) may sympathise, but it's a very big leap to conclude that society supports copyright on digital works.
Q1) Given it helps struggling artists pay their bills and save up to start a family, do you support copyright?
A1) Oh yes.
Q2) Have you ever lent a copyrighted work to a friend without tracking down the poor artist concerned to ask for their permission?
A2) Er....
Q3) Have you ever borrowed a copyrighted work from a friend without tracking down the poor artist concerned to ask for their permission?
A3) Er....
Q4) Have you ever made a copy of a copyrighted work without tracking down the poor artist concerned to ask for their permission?
A4) Er....
Q5) Have you ever downloaded a copyrighted work without tracking down the poor artist concerned to ask for their permission?
A5) Er....
Q6) Have you ever used BitTorrent to obtain a copyrighted work without tracking down the poor artist concerned to ask for their permission?
A6) Er....
Q7) Have you ever used a file sharing program and left a copyrighted work in your share folder without tracking down the poor artist concerned to ask for their permission?
A7) Er....
Q8) Have you ever modified a copyrighted work without tracking down the poor artist concerned to ask for their permission?
A8) Er....
Q9) Have you ever published a modified copyrighted work without tracking down the poor artist concerned to ask for their permission?
A9) Er....
Q10) Do you persist in declaring your support for copyright?
A10) Er....yes?