The music creators are voluntarily transferring their copyrights to the record companies. Despite Card's colorful language, no one forces them to do this or to agree to the record companies' terms. The creators choose this course (over, say, trying to sell their music on the net themselves) because they see it as the most advantageous for their own situation.
When you purchase the CD, you are implicitly agreeing to respect the copyright. That limitation is, in effect, a condition of the sale. The record companies, acting as the agents of the music creators, are saying, buy this only if you agree not to redistribute the music or violate any other copyrights.
Once you have bought a CD, you are bound by your promise. You have agreed not to redistribute the contents. If you then share the music online, you are behaving dishonestly. You took something of value in exchange for your promise, and you are going back on your word. You are showing yourself to be a liar who breaks his promises.
All unauthorized file sharing is built upon a foundation of dishonesty. This is the real problem with the popularity of P2P networks. They are further eroding the morals and standards on which our culture was built. There was a time when a person was judged by whether his word was good. This judgement provides a basis for trust and cooperation. Without this foundation of honesty, our complex technological civilization will suffer.
There is no honor among thieves, nor among liars. Join me in refusing to participate in P2P filesharing networks that are built around lies and deceit. Boycott those who would throw away their good name for a few hours of music. Reclaim your honor!
I mostly support the EFF. But when they started promoting compulsary licencing, I decided not to support them.
I have given EFF money in the past (and got the T shirt) but I agree, since they have jumped onto the compulsory licensing bandwagon I don't know what to think. This is a bad idea in so many ways that go against the traditional interests of the EFF. A big one is lack of privacy about what you're doing online. Any CL system is going to have to keep track of who is downloading what in order to figure out what royalties are due. This is going to require a new level of invasiveness.
And frankly the whole idea of supporting file sharing, which IMO is dishonest and requires people to break their promises (when they bought the CD they implicitly agreed not to share it with millions of people!) seems misguided and not part of the EFF's traditional goals of defending online freedom. It's one thing to be free online, it's another to lie about whether you will honor other people's copyrights.
Having said all this, the linked Lawmeme article is actually part of a series that questions and opposes the compulsory licensing concept. The most recent article attempts to show that the P2P companies behind it are harming their own interests.
Maybe the other commentators are right that this is all just a flimsy legal "cover story" that no one expects to win, just a fig leaf to grant a veneer of legitimacy to the file sharing companies by letting them argue that they are trying to be legal. And maybe the EFF sees CL the same way, a fake campaign that no one expects to go anywhere, but maybe will put pressure on the content industry. But I'm no happier to support the organization just because it may be insincere about a bad idea.
Perhaps I haven't been following closely enough, but exactly who is to be compelled to license what, from whom?
The compulsion in "compulsory licensing" is against the copyright holders. They are compelled to license their creations on terms specified by the government. (Of course, in practice their lobbyists play a major part in setting the terms, so the content industry isn't exactly a victim.) This is what allows public performances of copyrighted music, as long as royalties are paid according to the government-defined schedule. See USC Title 17 for how compulsory licensing works for recorded music.
The Register article is pointing at a patent APPLICATION. Despite their comment, "But an umbrella claim that protects its.NET APIs, granted last week, highlights the extent of its determination to protect its interfaces," I don't see any patent granted last week.
It remains to be seen whether the.NET API is even patentable. Certainly claim 1, as written, is not patentable: "1. A software architecture for a distributed computing system comprising: an application configured to handle requests submitted by remote devices over a network; and an application program interface to present functions used by the application to access network and computing resources of the distributed computing system." There are a zillion systems out there that match the terms of this claim precisely. So it is hardly novel.
In fact the whole patent application is written so poorly that I can't see it being granted in anything like its present form. Maybe there is a way of patenting an API but this ain't it.
People already *know* what will most likely happen tech-wise within their lifetime.
In this you have echoed a comment from the article, "Heck, if you were to ask the average person on the street, I suspect you would probably receive a fairly detailed account of where all this new stuff will take us over the next few years."
I'm very surprised. I am immensely puzzled over where tech will take us over the course of the next few decades. What will happen with nanotech? With biotech? With AI and augmented reality and universal computing?
It's possible that in 30 years we will be able to change our houses around at a verbal request, like living in a Star Trek Holodeck, if nanotech and AI work out. Computer, move the window a little more to the right, and change the wall color to dark green. We may be able to effectively teleport anywhere in the world, activating telepresence based mannequins which reshape themselves to look like us. In 20 years we may have cured cancer and even fixed old age, so that people can live forever.
Am I just a dreamer, are these impossible fantasies? Or would the average man on the street simply shrug and say "of course" when offered these possible futures? I don't think so, for either. I think our SF writers have dropped the ball by failing to depict a continuing course of rapid change over the next few decades. Vinge is one exception, with his Fast Times short story and upcoming novel. Maybe that will shock the masses out of their complacent "the future will be like today only more so" attitude.
How about an online game site that doesn't want people to use cheating clients which allow them to see through walls, use auto-targetting and other features which are ruining so many online games?
Download a client that uses encryption, and download a new one every now and then. If you send model data, send it encrypted and send a decoding key at the very last moment.
How will encryption help? The client has to know the key in order to decrypt the data. And a bogus client can receive and use the key just as easily as a valid client.
Are you relying on "security through obscurity", where you write a convoluted client, don't release source code, and hope it takes people a whlie to figure out where the keys are buried in it? Please! Those systems are easily cracked and totally insecure.
The method I proposed, in contrast, provides strong security which relies on TCPA technology and hardware-based encryption.
How about a P2P system which wants to make sure people are running legitimate clients that report accurate hashes of the songs available, to prevent the RIAA from salting networks with bogus songs?
Doesn't this require some special "won't run if owned by a member of the RIAA" chip? I was not aware that was a feature of TCPA.
No, it requires a client which is written to accurately report the hashes of songs that it has, and then to upload the same versions of those songs and not substitute bogus versions. This prevents RIAA agents from claiming to have good versions of songs (that match the widely-distributed hash) and then providing repetitive junk when people ask for the songs.
With TCPA, remote systems can verify that the client is a good one which behaves in this way and doesn't cheat. Without TCPA there would be no way to know what software the other guy's system is running and no way to be sure that it will behave as desired.
This is why it's called "Trusted Computing", by the way. It gives you reason to trust the behavior of a remote system.
The argument I would hope to make (possibly needing a modified GPL license version to explicitly require this) is that by signing the software (which is my copyright), you have created a derivative work, which is illegal.
Wow, that's amazing. I can't sign your code without giving away my key. It's astonishing that you think you hold that much power over me.
How would you feel if I simply said "I trust software version N, the one with hash X." Is that okay, or is my comment a derivative work, too? Would you claim that every comment about your software is a derivative work and you get control over how those comments are disseminated?
How about if I make that comment as part of a signed message? Now is it a derivative work? The fact that my statement can be authenticated by a public key?
Because that's really what a signature is, you know - a statement, whose source is verifiable and can be traced to a particular key, or key holder. In claiming the right to control what signatures people make on your software, you are claiming the right to control the kinds of statements they make about your software.
Hopefully it is clear that this approach is a non-starter. The creator of a software program has no such right or power to limit what people say about it, even if those statements are backed up by public key signatures.
Linus Torvalds takes a strong and principled position on the matter in this slashdot discussion. He agrees that the code creator has no control over what signatures people put on it, or what usage decisions are made by those who choose to trust such signatures.
Now that most of the lies and falsehoods have been eliminated (Your system won't boot linux!
It won't. Will Linus Torvalds be able to pull a tarball from kernel.org [kernel.org], compile it, and boot it on the system?
No he will not.
Yes, he will.
His system will still boot, but it may have a different "fingerprint" (crypto hash) than a widely-accepted Linux+TCPA system. This could prevent it from participating in TCPA-dependent network applications. It might not be able to download DRM-protected data, for example; or participate in an online game which required users to use a TCPA-validated OS.
Is this system "gutted"? I wouldn't say so. He could still do a lot of things with the computer. It just wouldn't be able to participate as fully in those parts of the net that require TCPA.
I do not, however, like the attitude of the submitter's blurb, which spins this system as a useful feature to compete with Microsoft(tm), rather than a way to cut off the stream of cheap, general-purpose computers that make Open Source possible.
As the submitter, I will just comment that my ideal world is one of diversity and competition. I would love to see some content sold with strict DRM limitations competing against other content sold without restrictions. I would love to see closed systems competing against open ones. I would love to see open source competing against proprietary software.
I want people to have choices and alternatives. Technologies like Trusted Computing offer new possibilities for how people can use their computers. Now that most of the lies and falsehoods have been eliminated (Your system won't boot linux! Only microsoft signed code will run!), people are beginning to understand the tradeoffs which will exist if they choose to purchase and enable this technology.
For every company that chooses to impose harsh restrictions on the usage of its software and data, there will be another (or an open source project) which distinguishes itself by openness. People will still have alternatives and choices, even more than they do today, because today it is impossible to create a truly closed and trusted network-wide application.
This technology has good uses and bad, but I trust individuals, acting together in the marketplace, to teach the vendors which usages are acceptable and which are not. No company, not even Microsoft, has a monopoly so strong that they can simply lay down rules without care or concern about the impact on their customers. Every company is subject to the discipline of the market, and the same is true for open source projects as well.
If a project or company succeeds, ultimately it is by meeting the needs of its customers and users. And in order to best meet those needs, the widest possible range of technologies must be made available. That is ultimately why I support Trusted Computing, because it is a technology which provides new alternatives for how software communicates and manages its data.
Palladium, on the other hand, uses similar technology to make sure that the user does not do anything else than what is allowed by content owners. In that case software openness is impossible - otherwise you could do some harm to their system - attacking from inside...
Q:How can anyone be sure that the nexus and related components do exactly what you claim they do?
A:Microsoft will make widely available for review the source code of the trusted computing base so it can be evaluated widely and validated.
According to your theory, this kind of openness would be incompatible with Palladium. In fact, you are wrong, and Palladium's use of hardware based security allows it to open its software for inspection without fear of security risks.
Suppose you buy a Playstation5 from Sony and request the kernel code under GPL. If you compile the kernel without having the key, you've got a working kernel. The hardware you own won't load it, but that's not Sony's problem....
I would rather that this legal interpretation doesn't hold, as it perverts the intent of GNU "Free Software", but it hasn't been seriously challenged yet.
It makes a lot of sense to me. Otherwise, under your preferred interpration, I could sign your GNU software, and set up a machine that will only run the signed version. Then when someone creates a derivative work, it would not run on my machine. You wouldn't be able to redistibute it without my key. So I could hold you hostage and prevent your redistribution, by your interpretation.
Just because someone chooses not to run or trust modified versions of software, that does not stop people from making changes. Even if that "someone" is important, like a successful PC manufacturer, or a widely-used online service, it doesn't change the principle.
GPL lets people modify code for their own use; it doesn't give anyone else an affirmative duty to respect or utilize the modified code in the same way as the original. But that's basically what you're asking for.
An assumption that DRM-proponents sometimes forget to mention is that the system will require government cooperation to work at all. Specifically, anyone who cracks open DRM hardware to read keys that could be used to make an emulator must be treated as the highest class of terrorist. To protect the American way, corporate property must be respected!
Probably the DMCA is enough. Cracking open a Trusted Computing chip will count as circumventing copyright protection technology, which is criminalized by the DMCA. No new laws are needed.
Ironically this suggests that TCPA and Palladium *need* to be construed as being used for DRM, in order to gain the protections of the DMCA. Both sides try to distance themselves from the DRM idea, but if their chips really weren't going to be used for copyright protection, then the DMCA wouldn't apply and it would be legal to circumvent them!
"Data can be protected with a secure pathway from the keyboard through the computer to the monitor screen, preventing it from being secretly intercepted or spied on" Yeah like this is a major security problem with current day computing. I've always wondered if my information is secure between my keyboard and the monitor:)
It's not funny. Ever heard of a keystroke logger? What if you're typing a password for your online bill payment service, wouldn't you like to have a secure path from the keyboard to the program? And if your bank software is displaying the account number on the screen, it would be nice if back orifice or some other Trojan program was unable to peek at the video memory. This is the kind of thing that Palladium aims to protect against, in the passage you quoted.
The fact that you cannot read the key, and thus cannot simulate the TCPA machine on a different piece of hardware or with a software emulator, is only for DRM. I challenge you to come up with a single reason for this that is not equivalent to DRM.
How about an online auction site that only wants to let people use approved clients, to prevent "sniping" and other unfriendly bidding prqactices?
How about an online game site that doesn't want people to use cheating clients which allow them to see through walls, use auto-targetting and other features which are ruining so many online games?
How about a P2P system which wants to make sure people are running legitimate clients that report accurate hashes of the songs available, to prevent the RIAA from salting networks with bogus songs?
None of these are DRM, but they all require that people not be able to simulate or fake TCPA, because then they could run bogus clients which would not follow the rules. There are many good applications for setting up networks where you know that everyone is running "good" software and no one is cheating. This is an important capability provided by TCPA (and Palladium).
In the large financial company I work for, a proportion of the software on the desktop is in-house developed. Will the corporate IT department accept a windows upgrade that would mean every new release had to be submitted to MS for signing?
Christ, how long will it be before this lie is put to bed?
Palladium does not require Microsoft to sign applications! Read the Microsoft technical FAQ: "Anyone can write an application to take advantage of new APIs that call to the nexus and related components without notifying Microsoft or getting Microsoft's approval."
This has been reiterated over and over and yet the message doesn't get out. The belief that Palladium will only run Microsoft signed code is by far the most common misconception about the technology.
There may be good reasons to oppose Palladium, but let's base our reasoning on truth rather than lies. And by the way, you might want to think about who told you this lie, and ask whether they had an agenda of their own. Maybe the source of this misinformation is not as trustworthy as you think.
Like many things, TCPA is a neutral technology. If the TCPA just sits on the board unused, you'd never know it's there at all. With Palladium, your system will be actively user hostile and RIAA/MPAA/MS friendly.
That's a false distinction. You can leave Palladium turned off as well. It just means that you won't be able to run applications that require Palladium. But it's the same with TCPA, you can leave it off but then you won't be able to run applications that require that technology.
And Palladium is no more RIAA... friendly than TCPA. Both systems provide the same basic functionality, of encrypting data such that it is locked to a given software configuration, and allowing software to prove its configuration to remote systems. This is what will allow a server to restrict downloads to software components that will only support DRM.
Now, in practice, Palladium is of more interest to the content companies because it is going to be so much more widely deployed than Linux+TCPA. The main TCPA (now called TCG) applications will be on non-desktop platforms like cell phones and PDAs. But both are variations on the same Trusted Computing theme.
The ability to quickly download and run a new program is valuable. However, DRM can be implemented in a way which is mostly compatible with that ability. This unfortunately means that we cannot depend on market pressure to protect us from the spread of hard DRM.
Your statement is right but your implementation is all wrong. The way it actually works is that each program is able to encrypt its data so that only that program, or other programs signed with a per-program key, can access that data. And likewise, programs can authenticate themselves on the net as being signed by a particular key.
The point is that there is not one "magic" key, but rather each application or manufacturer or developer who wants to use this technology creates his own key. That key controls access to the data for that application, and programs signed with that key can prove their signatures to each other.
In this approach, there are NO LIMITATIONS on the use of ordinary applications or what developers want to do. You can write and run any software you want. But your software won't be able to access your Quicken billpaying database, because that is encrypted using a key that only Quicken-signed software can access. And your software won't be able to display your downloaded movies, because those were saved by a video program certified by the MPAA and encrypted using their own key.
This is the basic idea behind Palladium (NGSCB) and TCPA (TCG). They retain backwards compatibility, but add a new capability for program-specific encryption and remote attestation.
...and as I understood it, there are two main GSM ciphers in use, A5/1 which is "strong" and A5/2 which is "weak". Both have attacks, but the one mentioned in the article which is very fast and effective is only against A5/2. The A5/1 attacks are more theoretical in that they involve known plaintext, meaning you have to guess the exact bits which were encrypted for some portion of the conversation. Plus they take enormously more work.
Apparently A5/2 is mostly used in the Middle East, including Israel. These are the people most affected by the new break. European GSM uses A5/1 which is still basically safe, it will be much cheaper to tap the landlines for those users. It is the Israelis and other A5/2 users who are toast.
This is a good analysis, but I think a few of the criticisms are off base.
First, a number of the supposed weaknesses they present are not actually exploitable; all of the ones relating to the file systems on the voting machines, for example. They offer no proposals for how an attacker could get access to these file systems or alter the files. It's not like he can just stick in a floppy and get it to run his favorite hacking program. As long as these are closed systems running the designer's software, there is no need for file system protection.
Second, many of the smart-card related attacks present far-fetched scenarios for how a hypothetical attacker could discover the weakness. This is a common flaw among such analyses; working with 20-20 hindsight, the researchers attempt to put themselves in the shoes of an attacker who doesn't have access to the source code but who always guesses right about how things work. It is far-fetched at best to propose that someone could cut the cable to the smart card reader in the voting booth, install some kind of monitoring device, inspect the protocol between machine and card, and then go home and use the data to deduce how to manufacture forged cards. Yet that is exactly what the authors suggest.
In truth, the real weaknesses of the system are the implicit assumption that the source code would be kept secret. Security through obscurity works only as long as the obscurity is maintained. If the code is leaked or stolen, these assumptions are violated and the system becomes insecure.
In this context, then, the real question is whether this is a true and up to date representation of the code that is implemented in the machines. One question I had was if so, why they weren't able to validate any of their assumptions about how poll workers were trained to operate the machines by referring to training manuals or at least verbally contacting some workers. At this point it seems to be entirely hypothetical whether this code is actually being used in any current voting machines, and therefore whether the attacks presented would actually work in the field.
Whining about this is almost as bad as the tool that got kicked off a British Airways flight for wearing a button that said "Suspected Terrorist."
John Gilmore has done more for personal freedoms and liberties on the net than anyone you know. He founded or helped found the EFF, the "alt" newsgroups, the Cypherpunks, and Cygnus Support, the first company that showed that you could make money supporting open source software. Cygnus was later bought by Red Hat for umpteen millions of dollars, but Gilmore was already rich, having been one of the first employees at Sun Microsystems.
As for the button incident, his point is that we are all being treated as suspected terrorists under the current regulations. As long as people put up with that without a protest, nothing is going to change. We should all be grateful that someone with Gilmore's credentials and financial strength is doing something about the increasingly harsh restrictions that all of us face as the government cracks down.
Some are fighting because DirecTV wants an admission of guilt, and some are fighting because they have ordered so much stuff, DirecTV's 'settlement' offer is still in the millions of dollars. Last, a few are fighting because they have the money (Dellionaires) and are fighting on priciple alone.
You're anonymous (more or less), your lawyer friend is anonymous, and his clients are anonymous. So you're not giving anything away if you answer this. How many of these clients are actually guilty versus clients who bought these programmers for legitimate purposes?
My guess is they're virtually all guilty. All this talk about barratry and misuse of the legal system doesn't make sense if DirecTV actually has a legal case against almost everyone they are suing.
The real problem is widespread violation of the law, not DirecTV's attempts to get it stopped.
OpenSecrets is a great resource, and it's useful to not trust the article and actually look for yourself. The notion that Conyers gets 25% of his money from "Hollywood" struck me as odd, since he represents Detroit.
In 2002 (last election), he got $49,859 from TV/Movies/Music, out of over $400,000 raised. In 2003, he's gotten $2,860 out of $104,000.
Looks like he's gotten more like 10% of his money from the entertainment biz, not 25%. Do the/. editors actually do any fact checking before they post???
You looked at the wrong stat. You looked at the PAC contributions only. Politicians are bought also by individual contributions...
Top Industries supporting Berman lists TV/Music/Movies as #1 with roughly 25% of all contributions made to the "honorable" Howard L. Berman (for sale for highest bidder).
No, he used the same stat you did, but he was looking at Conyers rather than Berman. Top Industries supporting Conyers lists TV/Music/Movies as #2 with $49,859 out of $413,618 total. That comes out to 12%, less than half of the 25% claimed in the article.
the EFF's general vibe of promoting online privacy and the right to anonymity would make the EFF incompatible with DRM systems
Compulsory licensing is not DRM, so your comment doesn't make sense. Compulsory licensing means that license holders (the "evil" record companies) are compelled to license their material - and compensated for it, of course. It is basically what makes radio possible.
How it would work in P2P is that there would be some measure of which songs are being shared, a sort of Nielsen Ratings for P2P. Then the license holders for those songs would get paid in proportion to how popular they were.
What would fund them? Possibly the good old modem tax, or some similar measure that charges people who do a lot of file sharing more than people who do less. Read this article by EFF attorney Fred von Lohmann to hear it from the horse's mouth.
You are totally off base in thinking that the EFF does not support compulsory licensing. They have been pushing that "solution" for quite a while now.
Personally, I think it is a terrible idea, and I'm glad to see someone has finally given it a good public roasting. Hopefully the concept will die a quiet death and the EFF can get back to protecting people's privacy instead of forcing them to pay a modem tax and putting the government in charge of paying artists.
Slashdot Mirror
The music creators are voluntarily transferring their copyrights to the record companies. Despite Card's colorful language, no one forces them to do this or to agree to the record companies' terms. The creators choose this course (over, say, trying to sell their music on the net themselves) because they see it as the most advantageous for their own situation.
When you purchase the CD, you are implicitly agreeing to respect the copyright. That limitation is, in effect, a condition of the sale. The record companies, acting as the agents of the music creators, are saying, buy this only if you agree not to redistribute the music or violate any other copyrights.
Once you have bought a CD, you are bound by your promise. You have agreed not to redistribute the contents. If you then share the music online, you are behaving dishonestly. You took something of value in exchange for your promise, and you are going back on your word. You are showing yourself to be a liar who breaks his promises.
All unauthorized file sharing is built upon a foundation of dishonesty. This is the real problem with the popularity of P2P networks. They are further eroding the morals and standards on which our culture was built. There was a time when a person was judged by whether his word was good. This judgement provides a basis for trust and cooperation. Without this foundation of honesty, our complex technological civilization will suffer.
There is no honor among thieves, nor among liars. Join me in refusing to participate in P2P filesharing networks that are built around lies and deceit. Boycott those who would throw away their good name for a few hours of music. Reclaim your honor!
I mostly support the EFF. But when they started promoting compulsary licencing, I decided not to support them.
I have given EFF money in the past (and got the T shirt) but I agree, since they have jumped onto the compulsory licensing bandwagon I don't know what to think. This is a bad idea in so many ways that go against the traditional interests of the EFF. A big one is lack of privacy about what you're doing online. Any CL system is going to have to keep track of who is downloading what in order to figure out what royalties are due. This is going to require a new level of invasiveness.
And frankly the whole idea of supporting file sharing, which IMO is dishonest and requires people to break their promises (when they bought the CD they implicitly agreed not to share it with millions of people!) seems misguided and not part of the EFF's traditional goals of defending online freedom. It's one thing to be free online, it's another to lie about whether you will honor other people's copyrights.
Having said all this, the linked Lawmeme article is actually part of a series that questions and opposes the compulsory licensing concept. The most recent article attempts to show that the P2P companies behind it are harming their own interests.
Maybe the other commentators are right that this is all just a flimsy legal "cover story" that no one expects to win, just a fig leaf to grant a veneer of legitimacy to the file sharing companies by letting them argue that they are trying to be legal. And maybe the EFF sees CL the same way, a fake campaign that no one expects to go anywhere, but maybe will put pressure on the content industry. But I'm no happier to support the organization just because it may be insincere about a bad idea.
Perhaps I haven't been following closely enough, but exactly who is to be compelled to license what, from whom?
The compulsion in "compulsory licensing" is against the copyright holders. They are compelled to license their creations on terms specified by the government. (Of course, in practice their lobbyists play a major part in setting the terms, so the content industry isn't exactly a victim.) This is what allows public performances of copyrighted music, as long as royalties are paid according to the government-defined schedule. See USC Title 17 for how compulsory licensing works for recorded music.
The Register article is pointing at a patent APPLICATION. Despite their comment, "But an umbrella claim that protects its .NET APIs, granted last week, highlights the extent of its determination to protect its interfaces," I don't see any patent granted last week.
.NET API is even patentable. Certainly claim 1, as written, is not patentable: "1. A software architecture for a distributed computing system comprising: an application configured to handle requests submitted by remote devices over a network; and an application program interface to present functions used by the application to access network and computing resources of the distributed computing system." There are a zillion systems out there that match the terms of this claim precisely. So it is hardly novel.
It remains to be seen whether the
In fact the whole patent application is written so poorly that I can't see it being granted in anything like its present form. Maybe there is a way of patenting an API but this ain't it.
People already *know* what will most likely happen tech-wise within their lifetime.
In this you have echoed a comment from the article, "Heck, if you were to ask the average person on the street, I suspect you would probably receive a fairly detailed account of where all this new stuff will take us over the next few years."
I'm very surprised. I am immensely puzzled over where tech will take us over the course of the next few decades. What will happen with nanotech? With biotech? With AI and augmented reality and universal computing?
It's possible that in 30 years we will be able to change our houses around at a verbal request, like living in a Star Trek Holodeck, if nanotech and AI work out. Computer, move the window a little more to the right, and change the wall color to dark green. We may be able to effectively teleport anywhere in the world, activating telepresence based mannequins which reshape themselves to look like us. In 20 years we may have cured cancer and even fixed old age, so that people can live forever.
Am I just a dreamer, are these impossible fantasies? Or would the average man on the street simply shrug and say "of course" when offered these possible futures? I don't think so, for either. I think our SF writers have dropped the ball by failing to depict a continuing course of rapid change over the next few decades. Vinge is one exception, with his Fast Times short story and upcoming novel. Maybe that will shock the masses out of their complacent "the future will be like today only more so" attitude.
I foresee an enormous tourist interest, to the point that someday several elevators will be sent up exclusively for tourists to use.
Yeah, but imagine the security screening they'll have to go through... Probably make an alien abduction feel like a casual glance....
How will encryption help? The client has to know the key in order to decrypt the data. And a bogus client can receive and use the key just as easily as a valid client.
Are you relying on "security through obscurity", where you write a convoluted client, don't release source code, and hope it takes people a whlie to figure out where the keys are buried in it? Please! Those systems are easily cracked and totally insecure.
The method I proposed, in contrast, provides strong security which relies on TCPA technology and hardware-based encryption.
Doesn't this require some special "won't run if owned by a member of the RIAA" chip? I was not aware that was a feature of TCPA.
No, it requires a client which is written to accurately report the hashes of songs that it has, and then to upload the same versions of those songs and not substitute bogus versions. This prevents RIAA agents from claiming to have good versions of songs (that match the widely-distributed hash) and then providing repetitive junk when people ask for the songs.
With TCPA, remote systems can verify that the client is a good one which behaves in this way and doesn't cheat. Without TCPA there would be no way to know what software the other guy's system is running and no way to be sure that it will behave as desired.
This is why it's called "Trusted Computing", by the way. It gives you reason to trust the behavior of a remote system.
The argument I would hope to make (possibly needing a modified GPL license version to explicitly require this) is that by signing the software (which is my copyright), you have created a derivative work, which is illegal.
Wow, that's amazing. I can't sign your code without giving away my key. It's astonishing that you think you hold that much power over me.
How would you feel if I simply said "I trust software version N, the one with hash X." Is that okay, or is my comment a derivative work, too? Would you claim that every comment about your software is a derivative work and you get control over how those comments are disseminated?
How about if I make that comment as part of a signed message? Now is it a derivative work? The fact that my statement can be authenticated by a public key?
Because that's really what a signature is, you know - a statement, whose source is verifiable and can be traced to a particular key, or key holder. In claiming the right to control what signatures people make on your software, you are claiming the right to control the kinds of statements they make about your software.
Hopefully it is clear that this approach is a non-starter. The creator of a software program has no such right or power to limit what people say about it, even if those statements are backed up by public key signatures.
Linus Torvalds takes a strong and principled position on the matter in this slashdot discussion. He agrees that the code creator has no control over what signatures people put on it, or what usage decisions are made by those who choose to trust such signatures.
No he will not.
Yes, he will.
His system will still boot, but it may have a different "fingerprint" (crypto hash) than a widely-accepted Linux+TCPA system. This could prevent it from participating in TCPA-dependent network applications. It might not be able to download DRM-protected data, for example; or participate in an online game which required users to use a TCPA-validated OS.
Is this system "gutted"? I wouldn't say so. He could still do a lot of things with the computer. It just wouldn't be able to participate as fully in those parts of the net that require TCPA.
And keep in mind that Linus Torvalds himself endorses this technology! I quote, "I want to make it clear that DRM is perfectly ok with Linux!"
I do not, however, like the attitude of the submitter's blurb, which spins this system as a useful feature to compete with Microsoft(tm), rather than a way to cut off the stream of cheap, general-purpose computers that make Open Source possible.
As the submitter, I will just comment that my ideal world is one of diversity and competition. I would love to see some content sold with strict DRM limitations competing against other content sold without restrictions. I would love to see closed systems competing against open ones. I would love to see open source competing against proprietary software.
I want people to have choices and alternatives. Technologies like Trusted Computing offer new possibilities for how people can use their computers. Now that most of the lies and falsehoods have been eliminated (Your system won't boot linux! Only microsoft signed code will run!), people are beginning to understand the tradeoffs which will exist if they choose to purchase and enable this technology.
For every company that chooses to impose harsh restrictions on the usage of its software and data, there will be another (or an open source project) which distinguishes itself by openness. People will still have alternatives and choices, even more than they do today, because today it is impossible to create a truly closed and trusted network-wide application.
This technology has good uses and bad, but I trust individuals, acting together in the marketplace, to teach the vendors which usages are acceptable and which are not. No company, not even Microsoft, has a monopoly so strong that they can simply lay down rules without care or concern about the impact on their customers. Every company is subject to the discipline of the market, and the same is true for open source projects as well.
If a project or company succeeds, ultimately it is by meeting the needs of its customers and users. And in order to best meet those needs, the widest possible range of technologies must be made available. That is ultimately why I support Trusted Computing, because it is a technology which provides new alternatives for how software communicates and manages its data.
Then why does Microsoft say, in their FAQ:
According to your theory, this kind of openness would be incompatible with Palladium. In fact, you are wrong, and Palladium's use of hardware based security allows it to open its software for inspection without fear of security risks.
Suppose you buy a Playstation5 from Sony and request the kernel code under GPL. If you compile the kernel without having the key, you've got a working kernel. The hardware you own won't load it, but that's not Sony's problem....
I would rather that this legal interpretation doesn't hold, as it perverts the intent of GNU "Free Software", but it hasn't been seriously challenged yet.
It makes a lot of sense to me. Otherwise, under your preferred interpration, I could sign your GNU software, and set up a machine that will only run the signed version. Then when someone creates a derivative work, it would not run on my machine. You wouldn't be able to redistibute it without my key. So I could hold you hostage and prevent your redistribution, by your interpretation.
Just because someone chooses not to run or trust modified versions of software, that does not stop people from making changes. Even if that "someone" is important, like a successful PC manufacturer, or a widely-used online service, it doesn't change the principle.
GPL lets people modify code for their own use; it doesn't give anyone else an affirmative duty to respect or utilize the modified code in the same way as the original. But that's basically what you're asking for.
An assumption that DRM-proponents sometimes forget to mention is that the system will require government cooperation to work at all. Specifically, anyone who cracks open DRM hardware to read keys that could be used to make an emulator must be treated as the highest class of terrorist. To protect the American way, corporate property must be respected!
Probably the DMCA is enough. Cracking open a Trusted Computing chip will count as circumventing copyright protection technology, which is criminalized by the DMCA. No new laws are needed.
Ironically this suggests that TCPA and Palladium *need* to be construed as being used for DRM, in order to gain the protections of the DMCA. Both sides try to distance themselves from the DRM idea, but if their chips really weren't going to be used for copyright protection, then the DMCA wouldn't apply and it would be legal to circumvent them!
"Data can be protected with a secure pathway from the keyboard through the computer to the monitor screen, preventing it from being secretly intercepted or spied on" Yeah like this is a major security problem with current day computing. I've always wondered if my information is secure between my keyboard and the monitor :)
It's not funny. Ever heard of a keystroke logger? What if you're typing a password for your online bill payment service, wouldn't you like to have a secure path from the keyboard to the program? And if your bank software is displaying the account number on the screen, it would be nice if back orifice or some other Trojan program was unable to peek at the video memory. This is the kind of thing that Palladium aims to protect against, in the passage you quoted.
The fact that you cannot read the key, and thus cannot simulate the TCPA machine on a different piece of hardware or with a software emulator, is only for DRM. I challenge you to come up with a single reason for this that is not equivalent to DRM.
How about an online auction site that only wants to let people use approved clients, to prevent "sniping" and other unfriendly bidding prqactices?
How about an online game site that doesn't want people to use cheating clients which allow them to see through walls, use auto-targetting and other features which are ruining so many online games?
How about a P2P system which wants to make sure people are running legitimate clients that report accurate hashes of the songs available, to prevent the RIAA from salting networks with bogus songs?
None of these are DRM, but they all require that people not be able to simulate or fake TCPA, because then they could run bogus clients which would not follow the rules. There are many good applications for setting up networks where you know that everyone is running "good" software and no one is cheating. This is an important capability provided by TCPA (and Palladium).
In the large financial company I work for, a proportion of the software on the desktop is in-house developed. Will the corporate IT department accept a windows upgrade that would mean every new release had to be submitted to MS for signing?
Christ, how long will it be before this lie is put to bed?
Palladium does not require Microsoft to sign applications! Read the Microsoft technical FAQ: "Anyone can write an application to take advantage of new APIs that call to the nexus and related components without notifying Microsoft or getting Microsoft's approval."
This has been reiterated over and over and yet the message doesn't get out. The belief that Palladium will only run Microsoft signed code is by far the most common misconception about the technology.
There may be good reasons to oppose Palladium, but let's base our reasoning on truth rather than lies. And by the way, you might want to think about who told you this lie, and ask whether they had an agenda of their own. Maybe the source of this misinformation is not as trustworthy as you think.
Like many things, TCPA is a neutral technology. If the TCPA just sits on the board unused, you'd never know it's there at all. With Palladium, your system will be actively user hostile and RIAA/MPAA/MS friendly.
That's a false distinction. You can leave Palladium turned off as well. It just means that you won't be able to run applications that require Palladium. But it's the same with TCPA, you can leave it off but then you won't be able to run applications that require that technology.
And Palladium is no more RIAA... friendly than TCPA. Both systems provide the same basic functionality, of encrypting data such that it is locked to a given software configuration, and allowing software to prove its configuration to remote systems. This is what will allow a server to restrict downloads to software components that will only support DRM.
Now, in practice, Palladium is of more interest to the content companies because it is going to be so much more widely deployed than Linux+TCPA. The main TCPA (now called TCG) applications will be on non-desktop platforms like cell phones and PDAs. But both are variations on the same Trusted Computing theme.
The ability to quickly download and run a new program is valuable. However, DRM can be implemented in a way which is mostly compatible with that ability. This unfortunately means that we cannot depend on market pressure to protect us from the spread of hard DRM.
Your statement is right but your implementation is all wrong. The way it actually works is that each program is able to encrypt its data so that only that program, or other programs signed with a per-program key, can access that data. And likewise, programs can authenticate themselves on the net as being signed by a particular key.
The point is that there is not one "magic" key, but rather each application or manufacturer or developer who wants to use this technology creates his own key. That key controls access to the data for that application, and programs signed with that key can prove their signatures to each other.
In this approach, there are NO LIMITATIONS on the use of ordinary applications or what developers want to do. You can write and run any software you want. But your software won't be able to access your Quicken billpaying database, because that is encrypted using a key that only Quicken-signed software can access. And your software won't be able to display your downloaded movies, because those were saved by a video program certified by the MPAA and encrypted using their own key.
This is the basic idea behind Palladium (NGSCB) and TCPA (TCG). They retain backwards compatibility, but add a new capability for program-specific encryption and remote attestation.
...and as I understood it, there are two main GSM ciphers in use, A5/1 which is "strong" and A5/2 which is "weak". Both have attacks, but the one mentioned in the article which is very fast and effective is only against A5/2. The A5/1 attacks are more theoretical in that they involve known plaintext, meaning you have to guess the exact bits which were encrypted for some portion of the conversation. Plus they take enormously more work.
Apparently A5/2 is mostly used in the Middle East, including Israel. These are the people most affected by the new break. European GSM uses A5/1 which is still basically safe, it will be much cheaper to tap the landlines for those users. It is the Israelis and other A5/2 users who are toast.
Titania, it turns out, is Titanium Dioxide, used commonly as a white pigment. Read more about it at the Wikipedia.
This is a good analysis, but I think a few of the criticisms are off base.
First, a number of the supposed weaknesses they present are not actually exploitable; all of the ones relating to the file systems on the voting machines, for example. They offer no proposals for how an attacker could get access to these file systems or alter the files. It's not like he can just stick in a floppy and get it to run his favorite hacking program. As long as these are closed systems running the designer's software, there is no need for file system protection.
Second, many of the smart-card related attacks present far-fetched scenarios for how a hypothetical attacker could discover the weakness. This is a common flaw among such analyses; working with 20-20 hindsight, the researchers attempt to put themselves in the shoes of an attacker who doesn't have access to the source code but who always guesses right about how things work. It is far-fetched at best to propose that someone could cut the cable to the smart card reader in the voting booth, install some kind of monitoring device, inspect the protocol between machine and card, and then go home and use the data to deduce how to manufacture forged cards. Yet that is exactly what the authors suggest.
In truth, the real weaknesses of the system are the implicit assumption that the source code would be kept secret. Security through obscurity works only as long as the obscurity is maintained. If the code is leaked or stolen, these assumptions are violated and the system becomes insecure.
In this context, then, the real question is whether this is a true and up to date representation of the code that is implemented in the machines. One question I had was if so, why they weren't able to validate any of their assumptions about how poll workers were trained to operate the machines by referring to training manuals or at least verbally contacting some workers. At this point it seems to be entirely hypothetical whether this code is actually being used in any current voting machines, and therefore whether the attacks presented would actually work in the field.
Whining about this is almost as bad as the tool that got kicked off a British Airways flight for wearing a button that said "Suspected Terrorist."
John Gilmore has done more for personal freedoms and liberties on the net than anyone you know. He founded or helped found the EFF, the "alt" newsgroups, the Cypherpunks, and Cygnus Support, the first company that showed that you could make money supporting open source software. Cygnus was later bought by Red Hat for umpteen millions of dollars, but Gilmore was already rich, having been one of the first employees at Sun Microsystems.
He has steadily plowed his money back into causes designed to promote freedom online and in the physical world. He has funded the FreeS/Wan project designed to provide automatic link-based encryption. He's also funded efforts to add security to the DNS. He provided the money for the machine that proved once and for all that DES was insecure. He is presently suing the government over travel restrictions.
As for the button incident, his point is that we are all being treated as suspected terrorists under the current regulations. As long as people put up with that without a protest, nothing is going to change. We should all be grateful that someone with Gilmore's credentials and financial strength is doing something about the increasingly harsh restrictions that all of us face as the government cracks down.
Some are fighting because DirecTV wants an admission of guilt, and some are fighting because they have ordered so much stuff, DirecTV's 'settlement' offer is still in the millions of dollars. Last, a few are fighting because they have the money (Dellionaires) and are fighting on priciple alone.
You're anonymous (more or less), your lawyer friend is anonymous, and his clients are anonymous. So you're not giving anything away if you answer this. How many of these clients are actually guilty versus clients who bought these programmers for legitimate purposes?
My guess is they're virtually all guilty. All this talk about barratry and misuse of the legal system doesn't make sense if DirecTV actually has a legal case against almost everyone they are suing.
The real problem is widespread violation of the law, not DirecTV's attempts to get it stopped.
You looked at the wrong stat. You looked at the PAC contributions only. Politicians are bought also by individual contributions...
Top Industries supporting Berman lists TV/Music/Movies as #1 with roughly 25% of all contributions made to the "honorable" Howard L. Berman (for sale for highest bidder).
No, he used the same stat you did, but he was looking at Conyers rather than Berman. Top Industries supporting Conyers lists TV/Music/Movies as #2 with $49,859 out of $413,618 total. That comes out to 12%, less than half of the 25% claimed in the article.
the EFF's general vibe of promoting online privacy and the right to anonymity would make the EFF incompatible with DRM systems
Compulsory licensing is not DRM, so your comment doesn't make sense. Compulsory licensing means that license holders (the "evil" record companies) are compelled to license their material - and compensated for it, of course. It is basically what makes radio possible.
How it would work in P2P is that there would be some measure of which songs are being shared, a sort of Nielsen Ratings for P2P. Then the license holders for those songs would get paid in proportion to how popular they were.
What would fund them? Possibly the good old modem tax, or some similar measure that charges people who do a lot of file sharing more than people who do less. Read this article by EFF attorney Fred von Lohmann to hear it from the horse's mouth.
You are totally off base in thinking that the EFF does not support compulsory licensing. They have been pushing that "solution" for quite a while now.
Personally, I think it is a terrible idea, and I'm glad to see someone has finally given it a good public roasting. Hopefully the concept will die a quiet death and the EFF can get back to protecting people's privacy instead of forcing them to pay a modem tax and putting the government in charge of paying artists.