October 15, 2024

Posts Comments

Why the 09ers Are So Upset

May 3, 2007 by

The user revolt at Digg and elsewhere, over attempts to take down the now-famous “09 F9 …” number, is now all over the press. (Background: 1, 2) Many non-techies, including some reporters, wonder why users care so much about this. What is it about “09F9…” that makes people willing to defend it by making T-shirts, writing songs, or subjecting their dotcom startup to lawsuit risk?

The answer has several parts. The first answer is that it’s a reaction against censorship. Net users hate censorship and often respond by replicating the threatened content. When Web companies take down user-submitted content at the behest of big media companies, that looks like censorship. But censorship by itself is not the whole story.

The second part of the answer, and the one most often missed by non-techies, is the fact that the content in question is an integer – an ordinary number, in other words. The number is often written in geeky alphanumeric format, but it can be written equivalently in a more user-friendly form like 790,815,794,162,126,871,771,506,399,625. Giving a private party ownership of a number seems deeply wrong to people versed in mathematics and computer science. Letting a private group pick out many millions of numbers (like the AACS secret keys), and then simply declare ownership of them, seems even worse.

While it’s obvious why the creator of a movie or a song might deserve some special claim over the use of their creation, it’s hard to see why anyone should be able to pick a number at random and unilaterally declare ownership of it. There is nothing creative about this number – indeed, it was chosen by a method designed to ensure that the resulting number was in no way special. It’s just a number they picked out of a hat. And now they own it?

As if that’s not weird enough, there are actually millions of other numbers (other keys used in AACS) that AACS LA claims to own, and we don’t know what they are. When I wrote the thirty-digit number that appears above, I carefully avoided writing the real 09F9 number, so as to avoid the possibility of mind-bending lawsuits over integer ownership. But there is still a nonzero probability that AACS LA thinks it owns the number I wrote.

When the great mathematician Leopold Kronecker wrote his famous dictum, “God created the integers; all else is the work of man”, he meant that the basic structure of mathematics is part of the design of the universe. What God created, AACS LA now wants to take away.

The third part of the answer is that the link between the 09F9 number and the potential harm of copyright infringement is pretty tenuous. AACS LA tells everyone who will listen that the discovery and distribution of the 09F9 number is no real threat to the viability of AACS or the HD-DVD/Blu-ray formats. A person getting the 09F9 number could, if he or she is technically skillful, invest a lot of work to get access to movies. But there are easier, less tech-intensive ways to get the same movies. Publishing the number has approximately zero impact on copyright infringement.

Which brings us to the civil disobedience angle. It’s no secret that many in the tech community despise the DMCA’s anticircumvention provisions. If you’re going to defy a law to show your disagreement with it, you’ll look for a situation where (1) the application of the law is especially inappropriate, (2) your violation does no actual harm, and (3) many others are doing the same thing so the breadth of opposition to the law is evident. That’s what we see here.

It will be interesting to see what AACS LA does next. My guess is that they’ll cut their losses, refrain from sending demand letters and filing lawsuits, and let the 09F9 meme run its course.

Filed Under: Uncategorized Tagged With: , , ,

Digg Users Revolt Over AACS Key

May 2, 2007 by

I wrote yesterday about efforts by AACS LA, the entity that controls the AACS copy protection system used in HD-DVD and Blu-ray discs, to stop people from republishing a sixteen-byte cryptographic key that can unlock most existing discs. Much of the action took place at Digg, a site that aggregates Web page recommendations from many people. (At Digg, you can recommend pages on the Web that you find interesting, and Digg will show you the most-recommended pages in various categories.

Digg had received a demand letter from AACS LA, asking Digg to take down links to sites containing the key. After consulting with lawyers, Digg complied, and Digg’s administrators started canceling entries on the site.

Then Digg’s users revolted. As word got around about what Digg was doing, users launched a deluge of submissions to Digg, all mentioning or linking to the key. Digg’s administrators tried to keep up, but submissions showed up faster than the administrators could cancel them. For a while yesterday, the entire front page of Digg – the “hottest” pages according to Digg’s algorithms – consisted of links to the AACS key.

Last night, Digg capitulated to its users. Digg promised to stop removing links to the key, and Digg founder Kevin Rose even posted the key to the site himself. Rose wrote on Digg’s official blog,

In building and shaping the site I’ve always tried to stay as hands on as possible. We’ve always given site moderation (digging/burying) power to the community. Occasionally we step in to remove stories that violate our terms of use (eg. linking to pornography, illegal downloads, racial hate sites, etc.). So today was a difficult day for us. We had to decide whether to remove stories containing a single code based on a cease and desist declaration. We had to make a call, and in our desire to avoid a scenario where Digg would be interrupted or shut down, we decided to comply and remove the stories with the code.

But now, after seeing hundreds of stories and reading thousands of comments, you’ve made it clear. You’d rather see Digg go down fighting than bow down to a bigger company. We hear you, and effective immediately we won’t delete stories or comments containing the code and will deal with whatever the consequences might be.

If we lose, then what the hell, at least we died trying.

This is a remarkable event. Critics of Web 2.0 technologies like Digg often say that users are being exploited, that the “communities” on these sites are shams and the company running the site is really in control. Here, the Digg company found that it doesn’t entirely control the Digg site – if users want something on the site badly enough, they can put it there. If Digg wasn’t going to shut down entirely (or become clogged with postings of the key), it had no choice but to acquiesce and allow links to the key. But Digg went beyond acquiescence, siding with its users against AACS LA, by posting the key itself and practically inviting a lawsuit from AACS LA.

Digg’s motive here probably has more to do with profit and market share than with truth, justice, and the American way. It’s not a coincidence that Digg’s newly discovered values coincide with the desires of its users. Still, the important fact is that users could bend Digg to their will. It turns out that the “government” of Digg’s community gets its power from the consent of the governed. Users of other Web 2.0 sites will surely take note.

Filed Under: Uncategorized Tagged With: , , ,

AACS Plays Whack-a-Mole with Extracted Key

May 1, 2007 by

The people who control AACS, the copy protection technology used on HD-DVD and Blu-ray discs, are apparently trying to shut down websites that publish a certain 128-bit integer. The number is apparently a “processing key” used in AACS. Together with a suitable computer program, the key allows the decryption of video content on most existing HD-DVD and Blu-ray discs.

I won’t publish the key here but you can spot it all over the Web. It’s a long string starting with “09 F9”.

The key has been published on a few websites for months, but in recent days the AACS “Licensing Authority” (AACS LA) has taken to sending out demand letters to websites that publish the key, claiming that the key is a circumvention technology under the DMCA. News of these demand letters, and the subsequent disappearance of content and whole sites from the Net, has triggered an entirely predictable backlash, with thousands of people reposting the key to their own sites.

The key will inevitably remain available, and AACSLA are just making themselves look silly by trying to suppress it. We’ve seen this script before. The key will show up on T-shirts and in song lyrics. It will be chalked on the sidewalk outside the AACS LA office. And so on.

It’s hard to see the logic in AACS LA’s strategy here. Their end goal is (or should be) to stop unauthorized online distribution of high-def video files ripped from HD-DVD or Blu-ray discs. The files in question are enormous and cumbersome to store and distribute, containing more than a gigabyte of content. If you can’t stop distribution of these huge files, surely there’s no hope of stopping distribution of a little sixteen-byte key, or even of decryption software containing the key. Whatever tactics can stop distribution of the key should be even more effective against distribution of movies.

My guess is that AACS LA miscalculated, thinking that a few demand letters would succeed in suppressing the key. As the key spread, it seemed natural to continue sending letters – to do otherwise would be an admission of defeat. Now the key is spread so widely that there’s no point in sending any more letters.

The next question is whether AACS LA will try to sue somebody who defied a demand letter. There’s no real strategic point to such a suit, but even big organizations act out of spite sometimes.

Filed Under: Uncategorized Tagged With: , ,

Miracle Fruit: Tinkering with our Taste Buds

April 27, 2007 by

Miraculin, the extract of a West African fruit, is said to make sour foods taste sweet. It’s not sugary, but it’s said to trick your taste buds into misreporting the flavor of the food you’re eating. One of my students, Bill Zeller, bought some miraculin and a group of us tried it out. Here, in the interest of science, is my report.

Miraculin is a lumpy powder, dull red in color, that results from freeze-drying the flesh of the so-called miracle fruit. Here’s about twenty-five grams of miraculin, with a lime for size comparison.

Bill bought fifty grams of miraculin, which came by mail from Ghana. Both Ghana and the U.S. required customs paperwork before the fruit-based product could be shipped. Here’s the Republic of Ghana export permit.

I took a lump of miraculin, weighing a gram or two, and carefully ate it, pushing it around on my tongue as it dissolved.

It didn’t have much taste, and the texture was a bit gummy. Once it was all dissolved I waited a minute or so for the effect to kick in. The effect is said to wear off after about twenty minutes, so it was time for the taste test to begin.

As predicted, the miraculin made sour things taste sweet. Lemon wedges tasted like sweet lemonade. Lime wedges were sweet too. I could still sense the acidity of the fruit, and there was a detectable sour taste but it seemed to be covered over with a pleasant citrus sweetness. I could have eaten whole lemons or limes with no problem.

The grapefruit was stunning, perhaps the best-tasting fruit I have ever eaten. The ones we had were pretty sweet already as grapefruit go, but with miraculin they were distinctly but not overly sweet, and the underlying grapefruit flavor came through beautifully. I had to stop myself from wolfing down several grapefruit.

After the fruit I tried some other foods that were handy. Pizza tasted about the same as usual, though the tomato sauce had a slightly sweet tinge. Diet Dr. Pepper tasted normal. I tried some Indian food – samosas and curried chickpeas – and found the flavor unchanged except that the spiciness was intensified. The normally mild potato-based samosa filling had a spicy kick. Miraculin did nothing for a sweet dessert.

My verdict on miraculin? It’s pleasant and I’m glad I tried it, but it’s not a life-changing experience. I can imagine it becoming popular. It makes some healthy foods taste better, and it’s not too expensive. The amount I had would cost less than a dollar today if you bought in bulk, and there must be unexploited economies of scale.

Thanks to Bill Zeller for getting the miraculin,

to my co-investigators,

and Alex Halderman for taking the photos.

Filed Under: Uncategorized Tagged With: ,

Botnet Briefing

April 26, 2007 by

Yesterday I spoke at a Washington briefing on botnets. The event was hosted by the Senate Science and Technology Caucus, and sponsored by ACM and Microsoft. Along with opening remarks by Senators Pryor and Bennett, there were short briefings by me, Phil Reitinger of Microsoft, and Scott O’Neal of the FBI.

(Botnets are coordinated computer intrusions, where the attacker installs a long-lived software agent or “bot” on many end-user computers. After being installed, the bots receive commands from the attacker through a command-and-control mechanism. You can think of bots as a more advanced form of the viruses and worms we saw previously.)

Botnets are a serious threat, but as usual in cybersecurity there is no obvious silver bullet against them. I gave a laundry list of possible anti-bot tactics, including a mix of technical, law enforcement, and policy approaches.

Phil Reitinger talked about Microsoft’s anti-botnet activities. These range from general efforts to improve software security, to distribution of patches and malicious code removal tools, to investigation of specific bot attacks. I was glad to hear him call out the need for basic research on computer security.

Scott O’Neal talked about the FBI’s fight against botnets, which he said followed the Bureau’s historical pattern in dealing with new types of crime. At first, they responded to specific attacks by investigating and trying to identify the perpetrators. Over time they have adopted new tactics, such as infiltrating the markets and fora where botmasters meet. Though he didn’t explicitly prioritize the different types of botnet (mis)use, it was clear that commercially motivated denial-of-service attacks were prominent in his mind.

Much of the audience consisted of Senate and House staffers, who are naturally interested in possible legislative approaches to the botnet problem. Beyond seeing that law enforcement has adequate resources, there isn’t much that needs to be done. Current laws such as the Computer Fraud and Abuse Act, and anti-fraud and anti-spam laws, already cover botnet attacks. The hard part is catching the bad guys in the first place.

The one legislative suggestion we heard was to reduce the threshold for criminal violation in the Computer Fraud and Abuse Act. Using computers without authorization is a crime, but there are threshold requirements to make sure that trivial offenses can’t bring down the big hammer of felony prosecution.

The concern is that a badguy who breaks into a large number of computers and installs bots, but hasn’t yet used the bots to do harm, might be able to escape prosecution. He could still be prosecuted if certain types of bad intent can be proved, but where that is not possible he arguably might not meet the $5000 damage threshold. The law might be changed to allow prosecution when some designated number of computers are affected.

Paul Ohm has expressed skepticism about this kind of proposal. He points to a tendency to base cybersecurity policy on anecdote and worst-case predictions, even though a great deal of preventable harm is caused by simpler, more mundane attacks.

I’d like to see more data on how big a problem the current CFAA thresholds are. How many real badguys have escaped CFAA prosecution? Of those who did, how many could be prosecuted for other, equally serious violations? With data in hand, the cost-benefit tradeoffs in amending the CFAA will be easier.

Senator Bennett, in his remarks, characterized cybersecurity as a long-term fight. “You guys have permanent job security…. You’re working on a problem that will never be solved.”

Filed Under: Uncategorized Tagged With: ,