August 24, 2016

Archives for January 2003


Wacky Biometrics

I heard a presentation today by an expert on biometric security devices. He mentioned two new biometric devices under development. The first one uses body odor, detecting the unique combination of chemicals by your body. The second one fits on a chair; you sit on it and it measures the unique shape and weight distribution of your rear end. What will they think of next?


Man vs. Machine

Chess whiz Garry Kasparov has started another match against an electronic opponent. Much has been made of the man vs. machine battle, with right-thinking humanists everywhere lining up on Kasparov’s side, supporting human intellect and determination against the cold, mechanical logic of the computer.

I’m rooting for the machine.

Kasparov’s performance at the chessboard is awe-inspiring – a true triumph of the intellect. You can’t help but admire what he represents.

But if you know much of anything about his opponent, you’ll realize that it too is a monument to human achievement. The computer, Deep Junior, was built and programmed by people, not machines. People, not machines, figured out how to make a computer play brilliant chess despite the computer’s pathetic inability to mimic Kasparov’s brain. Deep Junior is the culmination of decades of work by an army of anonymous engineers and researchers, each contributing a few brilliant ideas to the technological edifice that made Deep Junior possible. To me, that story is more exciting than Kasparov’s talent, and just as human.

The standard knock on chess computers is that they are brainless and succeed only by brute force. As a one-time computer chess researcher, I can assure you that that image is misleading. Computers lack Kasparov’s intuition about chess, so they have to look far into the possible sequences of moves and countermoves. But blind exploration of all possible move sequences fails miserably due to the exponentially large number of possibilities. Instead, the best computer chess players are fantastically clever about where to apply their limited knowledge, about which move sequences to explore and in which order to explore them. The authors of these programs have collectively invented a new way to think about chess, one that focuses not on seeing as deeply as Kasparov but on knowing where to look. Considered on its own terms, this is at least as impressive as what Kasparov has done.

If you knew the people who have worked all of this out, and if you had seen their struggle, you might just root for Deep Junior too.


Microsoft De-Names Palladium

Microsoft has renamed its controversial Palladium initiative, giving it the forgettable title “Next-Generation Secure Computing Base” (NGSCB). The official reason for this is the discovery that another company had trademarked “Palladium” and Microsoft didn’t want to be seen as bullying that company. A more likely explanation is that the name “Palladium” had accumulated too many negative connotations. (Many of them were undeserved but impossible to shake nonetheless.)

The new title is so awkward that nobody outside the marketing department will ever use it. My prediction is that everyone outside Microsoft will pronounce the new acronym NGSCB like this: “pal-AY-dee-um”.


More on Targeting File-Sharers

Seth Finkelstein suggests a follow-the-money approach to thinking about the RIAA’s strategy in enforcing against file sharers. He reaches the same conclusion as I do (though for a slightly different reason), that ISPs are the leverage point for enforcing against file sharers.

The reason for this, Seth says, is that ISPs have money and average file sharers don’t. He has a point here, but he also makes a bit of a simplification. Though the common image of file sharers is of kids, my guess is that the demographics of file sharers are pretty close to those of music buyers. Data on this point are pretty hard to come by, but Napster’s statistics showed more middle-aged users than expected, and I assume that hasn’t changed with the new systems. In my view, people are drawn to these systems as much because of their ease of use (at least compared to the record-company alternatives) as because they are free. So there will be at least some individual file sharers who have a lot to lose.

Another reason the RIAA might want ISPs to take care of enforcement is that whoever does the dirty work will end up looking, well, dirty. There are basically two enforcement strategies. The first is to make examples of a few file sharers. This means imposing large penalties on a few people – if the penalties aren’t disproportionate to the individual offense, then they won’t have the desired deterrent effect. Whoever initiates this kind of make-an-example enforcement will end up looking like a bully.

The alternative is to impose small penalties on many people. For example, ISPs might cut off the accounts of file sharers, either permanently or temporarily. The problem with this kind of enforcement is that the economics dictate that only a small amount of money can be spent on identifying each target, otherwise the cost of enforcement outweighs the benefit. In practice, this means that bots will be used to identify targets, with little human involvement. Mistakes will be made – outrageous, hilarious mistakes – and the enforcers will look like idiots. Either way, whoever is doing the enforcement will end up with egg on their face. If you’re the RIAA, you’d much rather have ISPs handle enforcement.


File Sharers Targeted Next?

Declan McCullagh, at CNet, predicts that we will soon see criminal prosecutions of a few people who make extensive use of file sharing software. He cites RIAA rhetoric and congressional rhetoric supporting prosecution, and he reiterates the relevant laws, which dictate surprisingly stiff sentences for violations.

Orin Kerr, at the Volokh Conspiracy blog, disagrees. He points to his experience as a DOJ official, and says that decisions about whom to prosecute are typically made by Assistant U.S. Attorneys (and not centrally in Washington), and that most of the decisionmakers would rather spend their limited resources going after drug dealers, kidnappers, and the like.

The elephant in the closet here is the lack of civil lawsuits against file sharers by the recording industry. If I were a Federal prosecutor, I would be asking myself why I should spend tax dollars on prosecuting someone for file sharing, when none of the victims of that file sharing are willing to bring any civil suits against file sharers.

Why would the RIAA support criminal prosecutions but not civil suits? The obvious explanation is that they fear a backlash from their customers if they file aggressive lawsuits. But won’t the backlash be even larger if the FBI hauls somebody away in handcuffs at their behest? I’m sure they saw what happened to Adobe when it engineered the arrest of Dmitry Sklyarov.

My bet is on the theory expounded by Jonathan Zittrain, as quoted by Hiawatha Bray in yesterday’s Boston Globe. The RIAA will try to put pressure on ISPs to become enforcement agents, by putting on a DMCA squeeze. The DMCA gives ISPs a limited safe harbor from liability for their customers’ actions, but it also allows various legal strategems that the RIAA could use to pressure ISPs into compliance.

The RIAA still appears to be afraid to sue file sharers. This can’t bode well for their future. If your business model depends on people complying with a law, and you yourself have the power to enforce that law but are not willing to do so, you have a problem.


Sony, At War with Itself

The February issue of Wired has an interesting feature on Sony’s struggle to figure out its position on technology, media, and copyright. As a consumer electronics maker, Sony wants to make products that give people flexible use of their recorded music and video. As a content provider, Sony wants to enforce limits on that flexibility.

For a while, the result was paralysis. The Wired story begins with a Sony executive looking wistfully at an Apple iPod, and wishing Sony had had the guts to create such a product. Sony’s consumer electronics business drifted, unable to create breakthrough products that provided the flexibility that users crave.

Now under new leadership, Sony is trying to find a middle path. Unfortunately, the new strategy seems to work only for customers who have all-Sony setups. One Sony device will talk to another, but it’s not clear how a customer could mix in other manufacturers’ products into a Sony setup. Open and flexible components are still too scary to allow.

The result is just another way of failing to serve customers. Instead of trying to make each product as useful to the customer as possible, Sony is still trying to corral and control their customers’ activities. They still talk about finding the “balance point” between customer-friendly design and content protection. Despite the hopeful ending of the Wired piece, the civil war inside Sony isn’t over yet.


RIAA Site Hacked Again

Once again, somebody has attacked the RIAA’s web site, knocking it out this time for three days. The bozos who did this probably think it’s a clever way to retaliate against the RIAA. Instead, they’re just reinforcing the caricature of the RIAA’s opponents as amoral punks. There are plenty of constructive ways to contribute to the public debate; vandalism is not one of them.


No Injunction for SearchKing

The judge in the SearchKing v. Google case has denied SearchKing’s request for a preliminary injunction. (See the bottom of this posting for background on the case.) James Grimmelmann at LawMeme analyzes the ruling. The court ruled that Google’s page rankings are opinions and so are protected by the First Amendment.

It’s interesting that the court found the page rankings to be opinions, even though they are generated automatically by a computer algorithm. In other words, page rankings don’t necessarily reflect the judgment of any person or group of people (at least not directly), except in the metaphysical sense that Google’s algorithm extracts the collective judgment of all of the webpage authors in the world.

A person identifying him/herself as a lawyer for SearchKing comments on the LawMeme site:

As Search King’s attorney, I can tell you a Rule 59 Motion to Alter Judgment was filed along with Search King’s Response to the Motion to Dismiss. In those pleadings we show the Court Google has a patent on PageRank. It also has been presented by its “inventors” as truly objective. (how does one “invent” an opinion?) If Google continues on its path of First Amendment protected opinion, there could be objections to its patent filed. Something to ponder….

It seems to me perfectly consistent to say something is an opinion and that it was arrived at by an objective procedure. Anyway, isn’t SearchKing’s whole case predicated on the claim that Google is not treating SearchKing objectively?

[Background on the SearchKing case: SearchKing sells a service that claims to raise people’s page rankings on the Google search engine. Google adjusted their page ranking algorithm to demote SearchKing’s pages. SearchKing sued Google, asking the court to grant a preliminary injunction requiring Google to restore the page rankings of SearchKing’s pages. The judge just denied that request. Google’s motion to dismiss is apparently next on the agenda.]


More on the Insecurity of Door Locks

Seth Finkelstein has unearthed two previous mentions of the method used in Matt Blaze’s door-lock attack. It’s clear that this problem was known in some circles. Now the rest of us know too.

I wrote previously that I’m glad the DMCA doesn’t apply to door locks. Chris Smith, over at Mutatron, wonders whether the DMCA does apply to door locks. He seems pretty sure that it does, at least where the locked door is protecting access to copyrighted materials.

This use of the DMCA seems an even bigger stretch than the garage-door-opener case and the toner-cartridge case, but it’s not totally ridiculous. Does a door lock, “in the ordinary course its operation, require[] the application of information, or a process or a treatment, with the authority of the copyright owner, to gain access to [a copyrighted] work”? If most doors control access to copyrighted works, then the question boils down to the “authority of the copyright owner” clause, which has been a slippery one in past DMCA cases.


Most Door Locks Insecure

John Schwartz at the New York Times reports on a blockbuster piece of research by cryptographer Matt Blaze. Matt applied the principles of cryptography to good old fashioned door locks and keys, and what he found is pretty horrifying. Given a key to one of the locks in a building, and a small number of key blanks, there is a method by which you can make a master key that opens all of the locks in the building.

Apparently some locksmiths have known this was possible for a long time. The lock manufacturer Schlage has even taught locksmiths how to carry out a version of Blaze’s attack. Yet somehow they never bothered to tell their customers.

This is why we need independent analysis of security technologies. Manufacturers will keep important information from their customers, even information that impacts the basic security decisions of the customers. Bans on security analysis, or bans on the dissemination of results, just help manufacturers keep their customers in the dark. Thank goodness there is no DMCA for door locks.