May 30, 2024

Archives for September 2003

Volokh and Solum Debate IP

Eugene Volokh and Lawrence Solum are having an interesting debate on the theory behind intellectual property. So far there have been four postings:

Volokh’s initial posting, explaining via a clever example why it might make sense to treat information as property

Solum’s response, challenging Volokh’s example

Volokh’s response to Solum

Solum’s response, digging deeper into the issue

Presumably we will see more on Volokh’s blog and Solum’s blog.

Senate Testimony

I’ll be testifying tomorrow morning at a Senate Commerce Committee hearing on “Consumer Privacy and Government Technology Mandates in the Digital Media Marketplace.”

The hearing is really about two topics: the DMCA subpoena process that allows copyright owners to learn the identities of Internet users (“Consumer Privacy”), and the impact of regulations that would require technology makers to build anti-copying technology into their devices (“Government Technology Mandates”). I’ll be on the panel discussing the second topic. Other witnesses on the panel will be Lawrence Blanford of Philips, Jack Valenti of the MPAA, and Chris Murray of Consumers Union.

I’ll post my written testimony here later. I’ll also post my impressions of the hearing afterward.

UPDATE (4:50 PM): It appears that a live Internet audiocast of the hearing will be available on, starting at 9:30 AM (Eastern). The hearing starts at 10:00 with a panel discussing the subpoena issue; I’m on the second panel.

A Virus Made Me Do It

According to press reports, an Alabama accountant has been acquitted on charges of tax evasion, after he argued that a computer virus had caused him to underreport his income three years in a row. He could not say which virus it was. Nor could he explain why it had affected only his own return, but not any of his clients’ returns which he had prepared on the same computer.

If the reports are accurate, the man’s claims sound bogus. I suppose the jury felt they had a reasonable doubt about whether his story was true.

It’s hard to see how juries can reach just outcomes in cases like this. Virus infestations are common, and it’s often hard to tell after the fact what happened. We’ll probably see more computer-virus defenses in cases like this, and some of them will lead to unjust verdicts.

This is yet another price we have to pay for the persistent insecurity of our computer systems.

[Thanks to Brian Kernighan for pointing out this story.]

More RIAA Suits to Come

Louis Trager at the Washington Internet Daily (no link; subscription only) reported yesterday that the RIAA is planning on filing hundreds of additional lawsuits against peer-to-peer users within the next month.

RIAA VP Matt Oppenheim also expressed outrage at the criticism of the group’s amnesty program. Trager quotes Oppenheim as saying, “We can only give away what we can give away….” Oppenheim also claims that the public supports the RIAA’s lawsuits, citing poll numbers and talk radio callins.

Why So Many Worms?

Many people have remarked on the recent flurry of worms and viruses going around on the Internet. Is this a trend, or just a random blip? A simple model predicts that worm/virus damage should increase in proportion to the square of the number of people on the Net.

First, it seems likely that the amount of damage done by each worm will be proportional to the number of people on the Net. This is based on three seemingly reasonable assumptions.

(1) Each worm will exploit a security flaw that exists (on average) on a fixed fraction of the machines on the Net.
(2) Each worm will infect a fixed fraction (nearly 100%, probably) of the susceptible machines.
(3) Each infected machine will suffer (or inflict on others) a fixed amount of damage.

Second, it seems likely that the rate of worm creation will also be proportional to the number of people on the Net. This is based on two more seemingly reasonable assumptions.

(4) A fixed (albeit very small) fraction of the people on the Net will have the knowledge and inclination to be active authors of worms.
(5) Would-be worm authors will find an ample supply of security flaws for their worms to exploit.

It follows from these five assumptions that the amount of worm damage per unit time will increase as the square of the number of people on the Net. As the online population continues to increase, worm damage will increase even faster. Per capita worm damage will grow as the Net gets larger.

Assuming that the online population will keep growing, the only way out of this problem is to falsify one of the five assumptions. And each of the five assumptions seems pretty well entrenched.

We can try to address Assumption 1 by applying security patches promptly, but this carries costs of its own, and in any case it only works for flaws that have been discovered by (or reported to) the software vendor.

We can try to address Assumption 2 by building defenses that can quarantine a worm before it spreads too far. But aggressive worms spread very quickly, infecting all of the susceptible machines in the world in as little as ten minutes. We’re far from devising any safe and effective defense that can operate so quickly.

Assumption 3 seems impossible to prevent, since a successful worm is assumed to have seized control of at least one significant part of the victim’s computer.

Assumption 4 seems to be human nature. Perhaps we could deter worm authors more effectively than we do, but deterrence will only go so far, especially given that we’ve had very little success so far at catching (non-rookie) worm authors, and that worms can originate anywhere in the world.

So we’re left with Assumption 5. Can we reduce the number of security flaws in popular software? Given the size and complexity of popular programs, and the current state of the art in secure software development, I doubt we can invalidate Assumption 5.

It sure looks like we’re in for an infestation of worms.