December 23, 2024

Archives for 2004

Cyber-Security Research Undersupported

Improving cybersecurity is supposedly a national priority in the U.S., but after reading Peter Harsha’s report on a recent meeting of the President’s Information Technology Advisory Committee (PITAC), it’s clear that cybersecurity research is severely underfunded.

Here’s a summary: The National Science Foundation has very little security research money, enough to fund 40% or less of the research that NSF thinks deserves support. Security research at DARPA (the Defense department’s research agency) is gradually being classified, locking out many of the best researchers and preventing the application of research results in the civilian infrastructure. The Homeland Security department is focusing on very short term deployment issues, to the near-exclusion of research. And corporate research labs, which have shrunk drastically in recent years, do mostly short term work. There is very little money available to support research with a longer term (say, five to ten year) payoff.

A Perfectly Compatible Form of Incompatibility

Scientific American has published an interview with Leonardo Chiariglione, the creator of the MP3 music format and formerly head of the disastrous Secure Digital Music Initiative. (SDMI tried to devise a standard for audio content protection. The group suffered from serious internal disagreements, and it finally dissolved after a failed attempt to use DMCA lawsuit threats to suppress publication of a research paper, by my colleagues and me, on the weaknesses of the group’s technology.)

Now Chiariglione is leading another group to devise the ultimate DRM (i.e., anti-copying) music format: “a system that guarantees the protection of copyrights but at the same time is completely transparent and universal.” He doesn’t seem to see that this goal is self-contradictory. After all, we already have a format that is completely transparent and universal: MP3.

The whole point of DRM technology is to prevent people from moving music usefully from point A to point B, at least sometimes. To make DRM work, you have to ensure that not just anybody can build a music player – otherwise people will build players that don’t obey the DRM restrictions you want to connect to the content. DRM, in other words, strives to create incompatibility between the approved devices and uses, and the unapproved ones. Incompatibility isn’t an unfortunate side-effect of deficient DRM systems – it’s the goal of DRM.

A perfectly compatible, perfectly transparent DRM system is a logical impossibility.

The idea of universally compatible DRM is so odd that it’s worth stopping for a minute to try to understand the mindset that led to it. And here Chiariglione’s comments on MP3 are revealing:

[Scientific American interviewer]: Wasn’t it clear from the beginning that MP3 would be used to distribute music illegally?

[Chiariglione]: When we approved the standard in 1992 no one thought about piracy. PCs were not powerful enough to decode MP3, and internet connections were few and slow. The scenario that most had in mind was that companies would use MP3 to store music in big, powerful servers and broadcast it. It wasn’t until the late ’90s that PCs, the Web and then peer-to-peer created a completely different context. We were probably naive, but we didn’t expect that it would happen so fast.

The attitude of MP3’s designers, in other words, was that music technology is the exclusive domain of the music industry. They didn’t seem to realize that customers would get their own technology, and that customers would decide for themselves what technology to build and how to use it. The compatible-DRM agenda is predicated on the same logical mistake, of thinking that technology is the province of a small group that can gather in a room somewhere to decide what the future will be like. That attitude is as naive now as it was in the early days of MP3.

Thoughts on the Gmail Privacy Flap

I have to admit I’m surprised at the magnitude of the recent controversy about Gmail, Google’s new webmail service. Gmail is a free webmail service, giving you up to one gigabyte of storage for email. The service shows you text ads alongside your messages, and provides various search features for your mail. The service has been surprisingly controversial, triggering angry blog-entries, letters from privacy groups, and even an anti-Gmail bill in the California state senate.

It’s important to separate complaints about what Gmail is doing now, from complaints about what the Gmail user agreement allows them to do later.

The main complaint about Gmail’s present design has to do with the text-based ads that Gmail is said to display alongside your email. To decide which ads to place, Gmail looks at the content of your email. Presumably this is a straightforward application of Google’s AdWords system (which used to appear on this site).

I’m not entirely sure why people are offended by the running of a (presumably memoryless) word-matching algorithm over their email, or the displaying of word-triggered ads. The scanner, by itself, wouldn’t bother me at all, since advertisers don’t find out who saw their ads. Users who click on the ads will be taken to the advertisers’ sites, which might try to identify them, but that’s not a new risk, and it’s controllable by the user. Other kinds of scanners, for instance onces that made summaries of my email for sale to third parties, would bother me a lot; but that’s not what Gmail is doing.

The other complaint about Gmail has been about the terms of its user agreement. There’s no doubt that the terms are egregious; but they don’t seem much worse than the terms imposed by other companies. (Seth Finkelstein makes this point well.) Hotmail’s terms of use are pretty distasteful too. So why the big flap over this particular agreement?

Don’t get me wrong. I’m glad to see people screaming about outrageous user agreements. It’s just that I would like to see some of that same anger directed elsewhere, to bring more balance into user agreements for all kinds of products. I hope the Gmail flap will cause people to look at other agreements in the same light.

I was never a likely customer for Gmail. But I can say for sure that the terms of service are enough to eliminate any remaining chance that I would switch to Gmail as my main email provider.

Grimmelmann on the Digital Cops Conference

James Grimmelmann reports on the recent Digital Cops conference at Yale. It’s a typically Grimmel-rific effort, both entertaining and insightful.

Voting Machine Inspection

Yesterday, I had a chance, with some colleagues, to look over the new e-voting machines that will be used in the future here in Mercer County, New Jersey. They’re AVC Advantage machines, made by Sequoia. The machines were available for public inspection at Princeton Borough Hall. (They’re available today too, at the Suzanne Patterson Center, right behind Borough Hall.)

The machines have a low-tech user interface, a big board covered with a paper printout of the ballot, with switches underneath the paper. The paper is covered by a thin sheet of clear, flexible plastic. You press on the little box printed next to your candidate’s name, and a switch under the paper is triggered. A computer inside the machine detects the switch-press and lights a little green X next to the candidate’s name. When you’re done, you press a bright red “Cast Vote” button, which is supposed to cause the computer to record your vote.

The machine’s minders were careful not to let us look at the mechanism inside. When we got there the access panel was ajar; but when I asked whether I could look inside one of the minders quickly closed and locked it.

The physical security of the machine looked pretty lousy. The guts of the machine are behind a large plastic door on the back side of the machine. The door bent unexpectedly when I tugged gently on its corner. It seemed to be made out of an ordinary plastic, not the thick, tough kind used in kids’ toys these days. My guess is that I could probably rip off the door with my bare hands. It could certainly be removed with a screwdriver or crowbar. The lock looked wimpy too, like the kind of lock you might put on a toolshed or a locker at the gym; not as good as a standard house or office key. I doubt anyone could get the panel open during an election without being noticed, but that owes more to the number of people around than to the inherent strength of the door and lock. The machine will be physically vulnerable beforehand when it’s not as well attended.

They had a copy of the instruction manual that is normally given to poll workers, but they seemed nervous when we looked at it. It seemed to me that they were trying to decide whether to take the manual away from us. The manual had a small black-and-white photo of the machine’s innards, showing a circuit-board of some sort, and a printer.

The vendor offers little if any technical information about the machine. They do publish a brochure, which helpfully observes that use of these machines offers “[n]othing less than the complete elimination of human error.”