July 27, 2016

Archives for June 2004



Today I’ll be speaking on a panel at the USENIX Conference in Boston, on “The Politicization of [Computer] Security.” The panel is 10:30-noon, Eastern time. The other panelists are Jeff Grove (ACM), Gary McGraw (Cigital), and Avi Rubin (Johns Hopkins).

If you’re attending the panel, feel free to provide real-time narration/feedback/discussion in the comments section of this post. I’ll be reading the comments periodically during the panel, and I’ll encourage the other panelists to do so too.


Victims of Spam Filtering

Eric Rescorla wrote recently about three people who must have lots of trouble getting their email through spam filters: Jose Viagra, Julia Cialis, and Josh Ambien. I feel especially sorry for poor Jose, who through no fault of his own must get nothing but smirks whenever he says his name.

Anyway, this reminded me of an interesting problem with Bayesian spam filters: they’re trained by the bad guys.

[Background: A Bayesian spam filter uses human advice to learn how to recognize spam. A human classifies messages into spam and non-spam. The Bayesian filter assigns a score to each word, depending on how often that word appears in spam vs. non-spam messages. Newly arrived messages are then classified based on the scores of the words they contain. Words used mostly in spam, such as “Viagra”, get negative scores, so messages containing them tend to get classified as spam. Which is good, unless your name is Jose Viagra.]

Many spammers have taken to lacing their messages with sections of “word salad” containing meaningless strings of innocuous-looking words, in the hopes that the word salad will trigger positive associations in the recipient’s Bayesian filter.

Now suppose a big spammer wanted to poison a particular word, so that messages containing that word would be (mis)classified as spam. The spammer could sprinkle the target word throughout the word salad in his outgoing spam messages. When users classified those messages as spam, the targeted word would develop a negative score in the users’ Bayesian spam filters. Later, messages with the targeted word would likely be mistaken for spam.

This attack could even be carried out against a particular targeted user. By feeding that user a steady diet of spam (or pseudo-spam) containing the target word, a malicious person could build up a highly negative score for that word in the targeted user’s filter.

Of course, this won’t work, or will be less effective, for words that have appeared frequently in a user’s legitimate messages in the past. But it might work for a word that is about to become more frequent, such as the name of a person in the news, or a political party. For example, somebody could have tried to poison “Fahrenheit” just before Michael Moore’s movie was released, or “Whitewater” in the early days of the Clinton administration.

There is a general lesson here about the use of learning methods in security. Learning is attractive, because it can adapt to the bad guys’ behavior. But the fact that the bad guys are teaching the system how to behave can also be a serious drawback.


"Tech" Lobbyists Slow to Respond to Dangerous Bills

Dan Gillmor, among others, bemoans the lack of effective lobbying by technology companies. Exhibit A is their weak and disorganized response to various bills, such as the Hatch INDUCE/IICA Act, that would give the movie and music industries veto power over the development of new technology. It’s true that large tech companies have been slow and clumsy in addressing these issues; but that’s not the whole story.

The other part of the story is that the interests of a few large tech companies don’t necessarily coincide with those of the technology industry as a whole, or of the users of technology. Giving the entertainment industry a veto over new technologies would have two main effects: it would slow the pace of technical innovation, and it would create barriers to entry in the tech markets. Incumbent companies may be perfectly happy to see slower innovation and higher barriers to entry, especially if the entertainment-industry veto contained some kind of grandfather clause, either implicit or explicit, that allowed incumbent products to stay in the market – as seems likely should such a veto be imposed.

Just to be clear, an entertainment-industry veto would surely hurt the tech incumbents. It’s just that it would hurt their upstart competitors more. So it’s not entirely surprising that the incumbents would have some mixed feelings about veto proposals, though it is disappointing that the incumbents aren’t standing up for the industry as a whole.

What can be done about this? I don’t see an easy answer. In Washington, it seems to be standard procedure to mistake the voices of a few incumbents for those of a whole industry. Certainly, the incumbents have no interest in contradicting that assumption. Our best hope is that the incumbents will see it in their own long-term interest to foster a fast-moving, highly competitive industry.


Minimum Age for Pro Basketball?

Yesterday was the NBA draft. In the first round, eight high school seniors were taken, and only five college seniors. (The rest were overseas players and college underclassmen.) The very first pick was a high school senior, chosen over a very accomplished college player.

You have to be 16 to drive. You have to be 21 at drink alcohol (at least where I live). Should there be a minimum age for playing professional basketball? NBA commissioner David Stern favors a minimum age of 20 for NBA players. The NFL’s rule, banning players less than three years out of high school, withstood a court challenge from Maurice Clarett, who wanted to go pro after two years of college.

Nobody can argue, after seeing Kobe Bryant, Kevin Garnett, and LeBron James, that college is a prerequisite for NBA stardom. Sure, some high-school draftees wash out, but they may well have failed just as badly had they spent four years playing college ball.

Stern, and other proponents of the minimum age rule, argue that going to college is good for these kids. That’s probably true, if they become real students. But it’s hard to see the point in making them pretend to be students, which is what many of them would do were it not for the straight-to-the-pros path. It’s especially hard to see the point of making them mark time as pseudo-students until they pass some arbitrary age threshold, at which point they can drop their pseudo-education like a red-hot brick and jump to the pros.

Another, considerably more cynical, argument for an age limit is that forcing kids to play college sports is a clever way to subsidize university education. If college basketball is just minor-league pro ball with unpaid players, then it can serve as a profit center for universities, generating revenue to support other students who are actually being educated.

But all of this ignores the biggest losers in the trend towards professionalization of college sports: the true student-athletes. These are the players who don’t spend all day in the weight room, who study things other than game films. It’s very hard for them to compete against full-time athletes, and so they face intense pressure to slack on their studies.

It seems to me that professional football and basketball could learn a thing or two from baseball. The normal path in baseball has been for players to turn pro immediately after high school, with only a few players


RIAA Blowing Smoke About INDUCE Act

Today’s New York Times runs a brief story by Matt Richtel and Tom Zeller, Jr. on the growing criticism of Sen. Hatch’s INDUCE Act (now given a less bizarre name, and a new acronym, IICA).

Sellers of clearly legitimate products, such as those in telecom and electronics industries, argue that the bill is too broad.

The RIAA shoots back with this:

But Mitch Bainwol, chief executive of the Recording Industry Association of America, a recording industry lobbying group, said the legislation was meant to be narrowly tailored to address companies that build technology focused on illegal file sharing.

The RIAA is just wrong here. There is nothing in the bill that limits it to companies. There is nothing that limits it to technology. There is nothing that limits it to file sharing. Any of those limits could have been written into the bill – but they weren’t. The language of the bill is deliberately broad, and it appears to be deliberately vague as well.

Advocates of the Act have said little if anything to justify its breadth. This will be a key issue in the debate over the bill, if any serious debate is allowed to occur.


The Future of Filesharing

Today there’s a Senate hearing on “The Future of P2P”. On Saturday, I gave a talk with a remarkably similar title, “The Future of Filesharing,” at the ResNet 2004 conference, a gathering of about 400 people involved in running networks for residential colleges and universities. Here’s a capsule summary of my talk.

(Before starting, a caveat. Filesharing technologies have many legitimate, non-infringing uses. When I say “filesharing” below, I’m using that term as a shorthand to refer to infringing uses of filesharing systems. Rather than clutter up the text below with lots of caveats about legitimate noninfringing uses, let’s just put aside the noninfringing uses for now. Okay?)

From a technology standpoint, the future of filesharing will involve co-evolution between filesharing technology on one side, and anti-copying and anti-filesharing technology on the other. By “co-evolution” I mean that whenever one side finds a successful tactic, the other side will evolve to address that tactic, so that each side catalyzes the evolution of the other side’s technology.

The resulting arms race favors the filesharing side, for two reasons. First, the filesharing side can probably adapt faster than the anti-filesharing side; and speed is important in this kind of move-countermove game. Second, the defensive technologies that filesharing systems are likely to adapt are the same defensive technologies used in ordinary commercial distributed systems (end-to-end encryption, anti-denial of service tactics, reputation systems, etc.), so the filesharing side can benefit from the enormous existing R&D efforts on defensive technologies.

Given all of this, it’s a mistake for universities or ISPs to spends lots of money and effort trying to develop or deploy the One True Solution Technology (OTSS). Co-evolution ensures that the OTSS would sow the seeds of its own destruction, by motivating filesharing designers and users to change their systems and behavior to defeat it. At best, the OTSS would buy a little time – but not much time, given the quick reaction time of the other side. Rather than an OTSS, a series of quick-and-dirty measures might have some effect, and at least would waste fewer resources fighting a losing battle.

The best role for a university in the copyright wars is to do what a university does best: educate students. When I talk about education, I don’t mean a five-minute lecture at freshman initiation. I don’t mean adding three paragraphs on copyright to that rulebook that nobody reads. I don’t mean scare tactics. What I do mean is a real, substantive discussion of the copyright system.

My experience is that students are eager to have serious, intellectual discussions about why we have the copyright system we have. They will take seriously the economic justification for copyright, if it is explained to them in a non-hysterical way. They’ll appreciate the wisdom of the limitations on copyright, such as fair use and the idea/expression dichotomy; and in so doing they’ll realize why there are not exceptions for other things.

This kind of education is expensive; but all good education is. Surely, amid all of the hectoring “education” campaigns, there is room for some serious education too.


Tech Giants Support DMCA Reform

Big tech companies, including Intel and Sun Microsystems, and ISPs, including Verizon and SBC, will announce today that they have banded together to form the “Personal Technology Freedom Coalition,” to support Rep. Rick Boucher’s DMCRA bill (HR 107) to reform the DMCA, according to a Declan McCullagh story at news.com.

The Boucher bill would reform the DMCA to allow the distribution and use of circumvention technologies for non-infringing purposes. (As written, the DMCA bans even circumventions that don’t result in copyright infringement.) The bill would also create an exemption to the DMCA for legitimate research.

This bill has always been in the interests of technologists. The overbreadth of the DMCA has restrained both research and development of innovative, noninfringing uses of technology. The whole tech community – including users – would benefit from a narrowing of the DMCA.

So far, technology companies have been a bit shy about expressing their support for the Boucher bill, apparently out of a desire not to offend copyright maximalists. It’s good news that these companies are now willing to stand up for their interests and the interests of their customers.

I’m sure we’ll be hearing more about the Boucher bill in the coming weeks.


Voting News

The League of Women Voters last week rescinded its support for paperless e-voting machines. The decision was driven by grassroots support among the League’s members, overriding a previous policy that was, according to rumor, decreed originally by a single member of the League’s staff. (I can’t find this story on the public part of the League’s site, but it comes from a reliable source, so I’m pretty sure it’s true.)

Also, tomorrow, June 22, there will be a rally in Washington for supporters of voter-verifiable paper trails. The rally runs from 11:45 until 1:00, on Cannon Terrace, just south of the U.S. Capitol, between the Cannon and Longworth House Office Buildings. (Metro stop: Capitol South; enter at the corner of New Jersey and Independence) Speakers include Rep. Rush Holt and other members of Congress.


Lame Copy Protection Doesn't Depress CD Sales Much

A CD “protected” by the SunnComm anti-copying technology is now topping the music charts. This technology, you may recall, was the subject of a paper by Alex Halderman. The technology presents absolutely no barrier to copying on some PCs; on the remaining PCs, it can be defeated by holding down the Shift key when inserting the CD.

SunnComm execs say that this demonstrates consumer acceptance of their technology. A quick look at the consumer reviews at Amazon tells the real story: the technology causes significant problems for some law-abiding customers, and many customers dislike it. Many customers find the technology bearable only because it is so easily defeated, thereby allowing customers who, say, want to download songs from the album onto their iPods a way to do so.

Alex Halderman reports receiving at least three unsolicited emails this week thanking him for explaining how consumers can stop the SunnComm technology from impeding their fair use of this album. Here’s one:


Thanks for the great article on this topic. I just bought the new Velvet Revolver CD and was not able to listen to it on my computer or import it into my iTunes program. I did use their “Copy” option which saved the files as Windows Media Files but these couldn’t be converted by iTunes. Well this is not acceptable and within about 5 minutes I was able to find your article and disable the lame driver.

Keep up the great work!

Another, in addition to discussing the fair use issue, says this:

If I wasn’t such a fan of this band, I would have taken the CD back in protest. But alas, it’s the only way to be legal and I wish for the artist to reap their financial benefits.

Needless to say, the SunnComm technology has not kept the songs on this album off of the filesharing systems.


Hatch to Introduce INDUCE Act

Fred von Lohmann at EFF Deep Links reports that Sen. Orrin Hatch is planning to introduce, possibly today, a bill to create a new form of indirect liability for copyright infringement. The full name of the bill is somewhat bizarre: the “Inducement Devolves into Unlawful Child Exploitation Act”.

Not being a lawyer, I can’t immediately say what impact this bill would have. But Fred von Lohmann, a very smart copyright lawyer, sees it as a threat to innovation, and Ernest Miller, who is also well versed in copyright law, uses me as an example of a person whose legitimate activities might be threatened by the bill. That’s definitely not the kind of thing I wanted to read over breakfast.

We’ll have to see how the Hatch bill is received. If it passes, it looks like computer security research may become even more of a legal minefield than it already is.