April 21, 2014

avatar

Fritz’s Hit List #6

Today on Fritz’s Hit List: digital answering machines (like this one).

These products, which record and replay digital audio, qualify for regulation as “digital media devices” under the Hollings CBDTPA. If the CBDTPA passes, any newly manufactured digital answering machine will have to incorporate government-approved copy restriction technology.

Fight piracy – regulate answering machines!

avatar

What Hollywood Wants to Do To P2P Users

The written version of Randy Saaf’s testimony at yesterday’s Berman-Coble hearings is now available. It is longer than his oral statement and answers a key technical question.

Saaf runs a company called Media Defender (MD) that tries to disrupt p2p networks on the behalf of copyright holders. All of the speakers at the hearings agree that the steps that MD uses now are legal. The key question was this: What do MD and Hollywood want to do that would be legalized by Berman-Coble?

The only example that anybody could give was a method that Saaf (misleadingly) calls “interdiction.” He gave a vague description of it yesterday, and I wrote that it “sounds to me like a classic denial of service attack.”

Saaf’s written testimony offers more detail:

Interdiction only targets uploaders of pirated material. The way it targets them is to simply download the pirated file. MediaDefender’s computers hook up to the person using the P2P protocol being targeted and download the pirated file at a throttled down speed. MediaDefender’s computers just try to sit on the other computers’ uploading connections as long as possible, using as little bandwidth as possible to prevent others from downloading the pirated content….

Interdiction works by getting in front of potential downloaders when someone is serving pirated content using a P2P network. When MediaDefender’s computer’s see someone making a copyrighted file available for upload, our computers simply hook into that computer and download the file. The goal is not to absorb all of that user’s bandwidth but block connections to potential downloaders. If the P2P program allows ten connections and MediaDefender fills nine, we are blocking 90% of illegal uploading.

That’s a denial of service attack, folks. The attack operates not by exhausting the target’s bandwidth, but by exhausting the number of connections it can make simultaneously. Connection-exhaustion attacks are a well recognized from of denial of service; other examples of such attacks include so-called “SYN flooding.”

It appears that common p2p software limits the number of connections it will service at one time. By occupying the available connections, the “interdiction” attack prevents new connections from being made. The effect is to cut off all uploads from the attacked p2p program (but not from the rest of the computer).

Note that this blocks access to all uploads from the p2p program, including uploads of noninfringing files.

There are various simple countermeasures that the p2p vendors could – and presumably will – adopt to frustrate this attack. One thing they could do is to lift their self-imposed limit on the number of connections their program will accept. If they do this, then an “interdiction” attack would have to occupy all of the machine’s connections, thus blocking all uploads of any kind, by any program, from the machine.

avatar

Sprigman on Reverse Engineering and Licenses

Interesting legal commentary by Chris Sprigman at FindLaw, on the legal status of reverse engineering in relation to software licenses.

[link credit: FurdLog]

avatar

Fritz’s Hit List #5

Today on Fritz’s Hit List: the Sony Aibo robot dog.

This product, which sends, receives, and digitally processes audio, qualifies for regulation as a “digital media device” under the Hollings CBDTPA. If the CBDTPA passes, any newly manufactured Aibos will have to incorporate government-approved copy restriction technology.

Fight piracy – regulate robot pets!

avatar

NYT: Software Diverts Referral Commissions

Today’s NYT discusses software that horns in on referral commissions (like those from Amazon’s affiliates program) meant for others.

Based on the article’s description, it looks like the software lurks quietly, waiting until the user’s browser is going to place an order that could generate a commission. Then the software inserts its distributor’s ID into the request, so as to capture the commission. Apparently the software even puts its own ID in place of another party’s ID, meaning that it captures commissions “meant” for others.

This software comes bundled into programs that a user downloads for free. The user “consents” to the commission-grabbing software’s behavior via vague language inserted into the enclosing product’s click-through agreement.

This seems like a pretty slimy thing to do. Maybe the lawyers out there can tell us whether it’s legal.

avatar

Godwin Article on the “Right to Tinker”

Mike Godwin has a new article at law.com on “the right to tinker.” He mentions my upcoming book on the topic. (Thanks, Mike.)

avatar

Notes on Today’s Berman-Coble Hearings

A House subcommittee held hearings this morning about the Berman-Coble peer-to-peer (p2p) hacking bill. I heard the first two hours, but then I had to go give a lecture.

The bill would give copyright owners new powers to employ self-help “hacking” measures aimed to prevent infringing file-trading on p2p networks. Everybody agreed that the self-help measures now being used are legal. One such measure is spoofing – providing dummy files that look like infringing material, to make it hard for people to find real infringing copies.

The big surprise for me was that the content-industry people seemed to have little idea what they would do with their new powers. When asked what they wanted to do that would be legalized by the bill, RIAA CEO Hilary Rosen said she didn’t know. She referred the question to Randy Saaf of MediaDefender.

Saaf could only come up with one desired measure that the bill would legalize. He called the measure “interdiction” and he described it as connecting to the offending user’s computer and downloading the offending file, in a way that prevented others from downloading. That sounds to me like a classic denial of service attack.

Everybody seemed to understand that the bill’s passage would escalate the technical arms race of measures and countermeasures between p2p designers and copyright owners. Nobody seemed to have any idea where that arms race would lead, or what its implications might be for the bill.

Congressman Boucher summed it up well when he said that Congress would be wise to wait until the copyright owners at least know what they want.

avatar

Misleading Term of the Week: “Standard”

A “standard” is a technical specification that allows systems to work together to make themselves more useful. Most people say, for good reasons, that they are in favor of technical standards. But increasingly, we are seeing the term “standard” misapplied to things that are really regulations in disguise.

True standards strive to make systems more useful, by providing a voluntary set of rules that allow systems to understand each other. For example, a standard called RFC822 describes a standardized way to format email messages. If my email-sending software creates RFC822-compliant messages, and your email-receiving software understands RFC822-compliant messages, then you can read the email messages that I send you. Compliance with such a standard makes our software more functional.

Crucially, standards like RFC822 are voluntary and nonexclusive. Nobody forces any email-software vendor to comply with RFC822, and there is nothing to stop a vendor’s product from complying simultaneously with both RFC822 and other standards.

Lately we have seen the word “standard” misapplied. For example, the Broadcast Protection Discussion Group (BPDG) calls its proposal a “standard,” though it is anything but. Unlike a real standard, BPDG is not voluntary. Unlike a real standard, it contains prohibitions rather than opportunities. Put the BPDG “standard” in front of experienced engineers, and they’ll tell you that it looks like a regulation, not like a standards document. BPDG is trying to make its restrictive regulations more palatable by wrapping them in the mantle of “standards.”

A more subtle misuse of “standard” arises in claims that we need to standardize on DRM technology. As I wrote previously:

In an attempt to sweep [the technical infeasibility of DRM] under the rug, the content industry has framed the issue cleverly as one of standardization. This presupposes that there is a menu of workable technologies, and the only issue is which of them to choose. They want us to ask which technology is best. But we should ask another question: Are any of these technologies workable in the first place? If not, then a standard for copy protection is as premature as a standard for teleportation.

avatar

Fritz’s Hit List #4

Today on Fritz’s Hit List: auto navigation systems.

These systems, which display digital maps and compute driving directions, qualify for regulation as “digital media devices” under the Hollings CBDTPA. If the CBDTPA passes, any newly manufactured auto navigation systems will have to incorporate government-approved copy restriction technology.

Fight piracy – regulate navigation systems!

avatar

One More on Biometrics

Simson Garfinkel offers a practical perspective on biometrics, at CSO Magazine.