Even though you are probably correct on a per-work basis, the labels would be laughed out of court if they tried to use it as an formal argument ("Your Honor, we have a portfolio of soooo many songs, no one else could possibly create a new original work not based on one of our songs!"). So I think both of us are right, in a way.
Therefore the message being sent is that violations of EMI's intellectual property may or may not be (... are not:p) acted against by Vimeo.
Vimeo cannot act against the use of EMI's music unless EMI gives them cause for action. TFA says that the labels have already lost a similar battle against Veoh, because Veoh smartly defended themselves that they are protected under the safe harbor provisions of the DMCA. The only reason Vimeo might not be similarly protected is if the labels can somehow show that Vimeo is actively encouraging the infringement (as opposed to merely passively waiting for DMCA takedowns). My point is that the quote in question would seem to be far from being a clear incitement to infringe on EMI's copyrighted music unless one assumes that most non-original music is EMI's music.
BTW, this doesn't mean that I think the labels will necessarily lose. The quote is only one small piece of the evidence which is presented in the lawsuit.
The use of the Vimeo employee's quote "original video... not original music" as evidence that the Vimeo is encouraging copyright infringement is a telling reflection on the music industry's idiotic hubris / disconnection from reality. All non-original music is Big Content music?
There was one bar here that actually went out of business because of ASCAP. He had no jukebox and hired folk bands; these bands played old folk music that was in the public domain, and ASCAP sued anyway. He wouldn't cave on principle and the legal costs bankrupted him and he lost his business.
We need a law which says that once a judge has ruled that a corporation has brought a frivolous lawsuit against someone, anytime it sues someone in the future it needs to finance the other side's legal fees, and only gets the money back if the judge rules they deserve it.
Since she was lucky and the hard drive wasn't hit, it was probably better in the end for her than what would have happened to her if she tried to enter the US with a laptop with Al-Qaeda stickers on it. Under the old rules (which supposedly have been changed under Obama), the TSA could arbitrarily seize the laptop for an indefinite period of time for investigation.
I am of course assuming she had valuable data on the hard drive compared with the price of the hardware.
Given the political statements on her laptop, one wonders what kind of provocation she might have tried with the guards. I don't believe that justifies their reaction, and wouldn't be surprised if they are disciplined (which will, of course, generate zero coverage outside of Israel), but most rational people understand that baiting Israelis is a rather dangerous sport.
MD5 isnt strong enough encryption, they’ve cracked that havent they?
MD5 is plenty good for obfuscating the email address of users across the wire. if you’re thinking of rainbow tables, those are all geared at passwords (which are generally shorter, and less globally different from one another) and not email addresses, furthermore they are geared at generating anything that matches the hash, NOT the original data being hashed. If you are thinking about being able to reproduce a collision, you still don’t necessarily get the actual email address being hashed from the data generated to create the collision. In either case the work required to both construct and operate such a monstrocity would be prohibitively costly. If we left your password laying around in the open as a plain md5 hash someone might be able to find some data (not necessarily your password) which they could use to log in as you... Leaving your email address out as an md5 hash, however, is not going to cause a violent upsurge in the number of fake rolex watch emails that you get. Lets face it there are far more lucrative, easier, ways of getting email address. I hope this helps ease your mind.
So, they might have already thought about this vulnerability and dismissed it as not interesting.
They could still fix their concept by providing an API where a website wanting to discover the avatar for a given email first hashes the email with MD5 and then the Gravatar URL which is generated redirects them to a link to the image (which contains no information about the email address, or perhaps uses a salted hash). This, in conjunction with rate limiting the number of queries per website, could provide a relatively secure way to do what they want.
A) Isn't the point of it to be a public system, so that sites can accept users' email addresses, then find the gravatars themselves?
I suppose you're right. In which case no trivial workaround can exist (because the attacker just pretends to be a website wanting to discover the guessed emails' avatars). OTOH, if Gravatar would implement a two-step API for getting the information, and implement rate limits on the API, doing the attack could be made much, much harder.
I vaguely remember looking at the Gravatar site when it opened up a long time ago, but personally I have no use for avatars and prefer not to have a global net persona (or at least one which is trivially assembled from all of the little persona pieces I have spread around).
B) Wouldn't it be equally easy to reverse engineer the salt string, with your own known test email? (As long as the salt is shorter than some limit maybe)
The whole point of using a salt (in my eyes, anyway) is that it should be long enough that brute forcing it is unreasonable.
I more or less agree with you that this isn't particularly newsworthy (is Gravatar all that widely used?), except for the fact that if they had bothered to add a random, secret salt before hashing, everything would have been secure (or rather, as secure as the secret salt).
> In other news, all password hashes can eventually be cracked by brute force... Oh noes!
True, but that is like saying "No encryption which uses a key smaller than the length of the ciphertext is secure": mathematically true, but not true in practice.
I think what you should have said instead was:
"In other news, doing security is harder than you think."
Can anyone tell me if the "you can add extra stuff after a +" that GMail lets you do is standard in the RFC for all email addresses? If it is, to "fix" this, if you should sign up to Gravatar with an email address using a random string after an added "+" the brute force search on hashes will be much, much harder. (Assuming that your email provider is implementing that part of the standard.)
It would have been trivial for them to just add a secret salt string to the email before hashing, and that would have solved most of the problem. It is possible that they wanted to be "nice", in that in the case they go out of business, anyone can regenerate the ID's without them. But, as this guy has shown, that's not a great idea.
If anything, the RIAA members should have all their copyrights revoked for abuse, and rights should be restored to the people who created the original works, bypassing the old "work for hire" provisions that Hollywood snuck in.
Musical recordings, at least up to now, haven't been accepted as belonging to the enumerated list of types of works which are automatically works for hire if produced for compensation. Except for a very short period of time between Congress messing things up (1999) and its later pressing the "reset button" (2000).
I didn't claim he claimed he forgot. But you did forget to reply to the gist of my post. He could easily claim he was incapable of supplying the passwords.
Other posters have claimed that the city's policies actually forbid him from divulging the passwords, i.e., "what his duties required him to do".
This case will be interesting. I cannot see how a US court can possibly make it a crime to not divulge information. OTOH, in some jurisdictions, it can be a crime (e.g., in the UK not divulging an encryption password to the court is a crime).
> The water treatment plants were amongst the infrastructures that he disabled.
This is the age of the hyperlink. Please provide one.
As for him deserving 20 years, it seems to me that it can never be a crime to forget something. In the same vein, it would seem to me that it cannot be a crime to be psychologically incapable of providing information. Other posters have claimed that it was even against his ex-employer's policies to provide that information.
I wonder if we will ever learn the real truth about this matter. It's fairly clear what version the city government would like to be revealed as the "the truth".
> He is still obligated to supply the passwords as they are not his property.
You cannot be obligated to remember something. If he had had a stroke, and was incapable of remembering the passwords, do you believe that the city could sue him or jail him for that?
My reading on this fiasco is that he had something similar to a nervous breakdown which made it impossible for him to deliver the passwords on demand. Other posters here have stated that it was actually against his employer's policy for him to give the passwords to the person asking for them. In that case, it was kind of the "give the computer a nervous breakdown by contradictory demands" scenario, a la Star Trek and numerous other SF works.
> child's job description did not include the self-appointed position of deciding himself who should have access to the network configuration
You are probably correct. But his contract/terms of employment should have been such that the city could sue him for the $125k/yr he was getting paid in the case that he changed the passwords from a configuration known to the city (to deal with the case that he would die unexpectedly). I have a suspicion that the city wasn't smart enough to make turning over the network administration (or at least having a contingency plan for the event that Childs would die) a contractual condition of properly finishing the work of designing the network.
In simple words, his manager(s) were also incompetent. But they aren't going to be looking at jail for it.
The guy did something wrong and should be punished.
He was punished, he was fired.
By not giving the keys, he did no more damage than would have been done if he had died accidentally, and his managers didn't seem to be that concerned about that, it seems. Since he did eventually give the keys (to the mayor), he did even less damage, in fact, a lot less damage.
This is a case of someone trying to use Slashdot to sway popular opinion; kind of like a slashvertisement, except with the legal system instead of a book or piece of software.
Wow, it really worked well for Joel Tennenbaum and Jammie Thomas-Rasset, I'm sure this is going to be very, very effective for Childs!!!
You forgot to keep a copy of the keys yourself? I call that stupid. And in the case of this guy's manager, criminally stupid.
Most people are smart enough to give their caretakers copies of their keys. Your analogy stinks.
And even if it didn't stink in that way, it stinks in another way. You could just shell out to have a professional locksmith break into your house and change the locks. Which is what you would have to have done anyway if the caretaker was kidnapped by the mafia or otherwise disappeared (the analogous situation to Childs dying in his sleep).
Actually, I just reviewed the facts as put out in this article by Venezia and most of the negative stuff has to do with mismanagement on the part of the city, in my eyes. A good manager would have understood that Childs was too attached to his creation, and would have already started to bring in another professional who might have had a chance of giving Childs the impression that he was handing his brainchild over into good hands. OTOH, I'm not sure Childs was psychologically capable of doing that. I wonder what will really happen in this trial.
Don't know about that. It seems to me that it was a worse crime to let him be the sole repository of such valuable information (the password/s), without having a clue that there was a chance he'd suddenly drop dead. And it was his managers who were guilty of that crime.
> the people this guy works for asked for the passwords
My impression was, that in a nice show of cluelessness, they decided to fire this guy first, and then ask him for the passwords which they didn't have (i.e., they didn't have any plan of action if he got run over by a bus or otherwise dropped dead).
> Socialism is being taxed because I made too much money and my money given to those who didn't work.
No, I think you've gotten the ideals of socialism wrong. Under socialism, if you are capable of working but don't work, you are a criminal. Under socialism, the extra money you made compared to, for example, a hard-working janitor, would be given to him (it actually is supposed to be implemented that you just wouldn't make more money than anyone else who worked).
That this cannot work well in reality is a different issue, similar to the problem that pure capitalism also doesn't work very well.
> This is an important concept regarding the internet that most politicians still don't get.
It's not clear that "they don't get it". You are assuming that what a politician says is connected with what he wants done or thinks can be done rather than being connected with what he wants others to think about him (so he gets reelected, perhaps via getting more campaign contributions).
Slashdot Mirror
Even though you are probably correct on a per-work basis, the labels would be laughed out of court if they tried to use it as an formal argument ("Your Honor, we have a portfolio of soooo many songs, no one else could possibly create a new original work not based on one of our songs!"). So I think both of us are right, in a way.
Therefore the message being sent is that violations of EMI's intellectual property may or may not be (... are not :p) acted against by Vimeo.
Vimeo cannot act against the use of EMI's music unless EMI gives them cause for action. TFA says that the labels have already lost a similar battle against Veoh, because Veoh smartly defended themselves that they are protected under the safe harbor provisions of the DMCA. The only reason Vimeo might not be similarly protected is if the labels can somehow show that Vimeo is actively encouraging the infringement (as opposed to merely passively waiting for DMCA takedowns). My point is that the quote in question would seem to be far from being a clear incitement to infringe on EMI's copyrighted music unless one assumes that most non-original music is EMI's music.
BTW, this doesn't mean that I think the labels will necessarily lose. The quote is only one small piece of the evidence which is presented in the lawsuit.
The use of the Vimeo employee's quote "original video ... not original music" as evidence that the Vimeo is encouraging copyright infringement is a telling reflection on the music industry's idiotic hubris / disconnection from reality. All non-original music is Big Content music?
Meh.
There was one bar here that actually went out of business because of ASCAP. He had no jukebox and hired folk bands; these bands played old folk music that was in the public domain, and ASCAP sued anyway. He wouldn't cave on principle and the legal costs bankrupted him and he lost his business.
We need a law which says that once a judge has ruled that a corporation has brought a frivolous lawsuit against someone, anytime it sues someone in the future it needs to finance the other side's legal fees, and only gets the money back if the judge rules they deserve it.
Since she was lucky and the hard drive wasn't hit, it was probably better in the end for her than what would have happened to her if she tried to enter the US with a laptop with Al-Qaeda stickers on it. Under the old rules (which supposedly have been changed under Obama), the TSA could arbitrarily seize the laptop for an indefinite period of time for investigation.
I am of course assuming she had valuable data on the hard drive compared with the price of the hardware.
Given the political statements on her laptop, one wonders what kind of provocation she might have tried with the guards. I don't believe that justifies their reaction, and wouldn't be surprised if they are disciplined (which will, of course, generate zero coverage outside of Israel), but most rational people understand that baiting Israelis is a rather dangerous sport.
202.173.180.235, eh?
How's it going for ya, down under?
From Gravatar's FAQ:
MD5 isnt strong enough encryption, they’ve cracked that havent they?
MD5 is plenty good for obfuscating the email address of users across the wire. if you’re thinking of rainbow tables, those are all geared at passwords (which are generally shorter, and less globally different from one another) and not email addresses, furthermore they are geared at generating anything that matches the hash, NOT the original data being hashed. If you are thinking about being able to reproduce a collision, you still don’t necessarily get the actual email address being hashed from the data generated to create the collision. In either case the work required to both construct and operate such a monstrocity would be prohibitively costly. If we left your password laying around in the open as a plain md5 hash someone might be able to find some data (not necessarily your password) which they could use to log in as you... Leaving your email address out as an md5 hash, however, is not going to cause a violent upsurge in the number of fake rolex watch emails that you get. Lets face it there are far more lucrative, easier, ways of getting email address. I hope this helps ease your mind.
So, they might have already thought about this vulnerability and dismissed it as not interesting.
They could still fix their concept by providing an API where a website wanting to discover the avatar for a given email first hashes the email with MD5 and then the Gravatar URL which is generated redirects them to a link to the image (which contains no information about the email address, or perhaps uses a salted hash). This, in conjunction with rate limiting the number of queries per website, could provide a relatively secure way to do what they want.
A) Isn't the point of it to be a public system, so that sites can accept users' email addresses, then find the gravatars themselves?
I suppose you're right. In which case no trivial workaround can exist (because the attacker just pretends to be a website wanting to discover the guessed emails' avatars). OTOH, if Gravatar would implement a two-step API for getting the information, and implement rate limits on the API, doing the attack could be made much, much harder.
I vaguely remember looking at the Gravatar site when it opened up a long time ago, but personally I have no use for avatars and prefer not to have a global net persona (or at least one which is trivially assembled from all of the little persona pieces I have spread around).
B) Wouldn't it be equally easy to reverse engineer the salt string, with your own known test email? (As long as the salt is shorter than some limit maybe)
The whole point of using a salt (in my eyes, anyway) is that it should be long enough that brute forcing it is unreasonable.
I more or less agree with you that this isn't particularly newsworthy (is Gravatar all that widely used?), except for the fact that if they had bothered to add a random, secret salt before hashing, everything would have been secure (or rather, as secure as the secret salt).
> In other news, all password hashes can eventually be cracked by brute force... Oh noes!
True, but that is like saying "No encryption which uses a key smaller than the length of the ciphertext is secure": mathematically true, but not true in practice.
I think what you should have said instead was:
"In other news, doing security is harder than you think."
Can anyone tell me if the "you can add extra stuff after a +" that GMail lets you do is standard in the RFC for all email addresses? If it is, to "fix" this, if you should sign up to Gravatar with an email address using a random string after an added "+" the brute force search on hashes will be much, much harder. (Assuming that your email provider is implementing that part of the standard.)
It would have been trivial for them to just add a secret salt string to the email before hashing, and that would have solved most of the problem. It is possible that they wanted to be "nice", in that in the case they go out of business, anyone can regenerate the ID's without them. But, as this guy has shown, that's not a great idea.
If anything, the RIAA members should have all their copyrights revoked for abuse, and rights should be restored to the people who created the original works, bypassing the old "work for hire" provisions that Hollywood snuck in.
Musical recordings, at least up to now, haven't been accepted as belonging to the enumerated list of types of works which are automatically works for hire if produced for compensation. Except for a very short period of time between Congress messing things up (1999) and its later pressing the "reset button" (2000).
In most cases the artist(s) assign their copyrights to the labels, and this means that soon, starting around 2013, there will be an interesting battle in the Federal courts whether or not the artists can terminate these assignments as stipulated in the 1976 Copyright Act.
See also http://yro.slashdot.org/story/09/11/15/2119230/Copyright-Time-Bomb-Set-To-Go-Off .
> He didn't claim he forgot.
I didn't claim he claimed he forgot. But you did forget to reply to the gist of my post. He could easily claim he was incapable of supplying the passwords.
Other posters have claimed that the city's policies actually forbid him from divulging the passwords, i.e., "what his duties required him to do".
This case will be interesting. I cannot see how a US court can possibly make it a crime to not divulge information. OTOH, in some jurisdictions, it can be a crime (e.g., in the UK not divulging an encryption password to the court is a crime).
> The water treatment plants were amongst the infrastructures that he disabled.
This is the age of the hyperlink. Please provide one.
As for him deserving 20 years, it seems to me that it can never be a crime to forget something. In the same vein, it would seem to me that it cannot be a crime to be psychologically incapable of providing information. Other posters have claimed that it was even against his ex-employer's policies to provide that information.
I wonder if we will ever learn the real truth about this matter. It's fairly clear what version the city government would like to be revealed as the "the truth".
> He is still obligated to supply the passwords as they are not his property.
You cannot be obligated to remember something. If he had had a stroke, and was incapable of remembering the passwords, do you believe that the city could sue him or jail him for that?
My reading on this fiasco is that he had something similar to a nervous breakdown which made it impossible for him to deliver the passwords on demand. Other posters here have stated that it was actually against his employer's policy for him to give the passwords to the person asking for them. In that case, it was kind of the "give the computer a nervous breakdown by contradictory demands" scenario, a la Star Trek and numerous other SF works.
> child's job description did not include the self-appointed position of deciding himself who should have access to the network configuration
You are probably correct. But his contract/terms of employment should have been such that the city could sue him for the $125k/yr he was getting paid in the case that he changed the passwords from a configuration known to the city (to deal with the case that he would die unexpectedly). I have a suspicion that the city wasn't smart enough to make turning over the network administration (or at least having a contingency plan for the event that Childs would die) a contractual condition of properly finishing the work of designing the network.
In simple words, his manager(s) were also incompetent. But they aren't going to be looking at jail for it.
The guy did something wrong and should be punished.
He was punished, he was fired.
By not giving the keys, he did no more damage than would have been done if he had died accidentally, and his managers didn't seem to be that concerned about that, it seems. Since he did eventually give the keys (to the mayor), he did even less damage, in fact, a lot less damage.
This is a case of someone trying to use Slashdot to sway popular opinion; kind of like a slashvertisement, except with the legal system instead of a book or piece of software.
Wow, it really worked well for Joel Tennenbaum and Jammie Thomas-Rasset, I'm sure this is going to be very, very effective for Childs!!!
You forgot to keep a copy of the keys yourself? I call that stupid. And in the case of this guy's manager, criminally stupid.
Most people are smart enough to give their caretakers copies of their keys. Your analogy stinks.
And even if it didn't stink in that way, it stinks in another way. You could just shell out to have a professional locksmith break into your house and change the locks. Which is what you would have to have done anyway if the caretaker was kidnapped by the mafia or otherwise disappeared (the analogous situation to Childs dying in his sleep).
Actually, I just reviewed the facts as put out in this article by Venezia and most of the negative stuff has to do with mismanagement on the part of the city, in my eyes. A good manager would have understood that Childs was too attached to his creation, and would have already started to bring in another professional who might have had a chance of giving Childs the impression that he was handing his brainchild over into good hands. OTOH, I'm not sure Childs was psychologically capable of doing that. I wonder what will really happen in this trial.
> What he did was wrong
Don't know about that. It seems to me that it was a worse crime to let him be the sole repository of such valuable information (the password/s), without having a clue that there was a chance he'd suddenly drop dead. And it was his managers who were guilty of that crime.
> the people this guy works for asked for the passwords
My impression was, that in a nice show of cluelessness, they decided to fire this guy first, and then ask him for the passwords which they didn't have (i.e., they didn't have any plan of action if he got run over by a bus or otherwise dropped dead).
> Socialism is being taxed because I made too much money and my money given to those who didn't work.
No, I think you've gotten the ideals of socialism wrong. Under socialism, if you are capable of working but don't work, you are a criminal. Under socialism, the extra money you made compared to, for example, a hard-working janitor, would be given to him (it actually is supposed to be implemented that you just wouldn't make more money than anyone else who worked).
That this cannot work well in reality is a different issue, similar to the problem that pure capitalism also doesn't work very well.
And the next bits:
"Wait a minute, we'd better make sure that those extra profits are on other company's books!"
> This is an important concept regarding the internet that most politicians still don't get.
It's not clear that "they don't get it". You are assuming that what a politician says is connected with what he wants done or thinks can be done rather than being connected with what he wants others to think about him (so he gets reelected, perhaps via getting more campaign contributions).