December 29, 2024

RIAA, MPAA Join Internet2 Consortium

RIAA and MPAA, trade associations that include the major U.S. record and movie companies, joined the Internet2 consortium on Friday, according to a joint press release. I’ve heard some alarm about this, suggesting that this will allow the AAs to control how the next generation Internet is built. But once we strip away the hype, there’s not much to worry about in this announcement.

Despite its grand name, Internet2 is not a new network. Its main purpose has been to add some fast links to today’s Internet, to connect bandwidth-hungry universities, e.g., so that researchers at one university can explore the results of climate simulations done at a peer university. The Internet2 links carry traffic of all sorts and they use the same protocols as the rest of the Internet.

A lesser function of Internet2 is to host discussions among researchers studying specific topics. It’s good when people studying similar problems can talk to each other, as long as one group isn’t put in charge of what the other groups do. And as I understand it, the Internet2 discussions are just that – discussions – and not a top-down management structure. So it doesn’t look to me like Internet2, as a corporate body, could do much to divert the natural course of research, even if it wanted to.

Finally, Internet2 is not in a position to dicate what technology gets deployed in the future Internet. Internet2 may give birth to ideas that are then adopted by the industry; but those ideas will only be deployed if market pressures drive the industry to build them. If the AAs think that they can sit down with Internet2 and negotiate the future of the Internet, they’re sadly mistaken. But I very much doubt that that’s what they think.

So why are the AAs joining Internet2? My guess is that they joined for mostly the same reasons that other non-IT-industry corporate members did. Why did Johnson and Johnson join? Why did Ford join? Because their business strategies depend on the future of high-performance networks. The same is true of the record and movie companies. Their business models will one day center on online, digital distribution of content. It’s best for them, and probably for everybody else too, if they face that future squarely, right away. I’m hope their presence in Internet2 will help them see what is coming, and figure out how to adapt to it.

Recommended Reading: Crime-Facilitating Speech

Eugene Volokh has an interesting new paper about Crime-Facilitating Speech (abridged version): “speech [that] provides information that makes it easier to commit crimes, torts, or other harms”. He argues convincingly that many free-speech cases pertain to crime-facilitating speech. Somebody wants to prevent speech because it may facilitate crime, but others argue that the speech has beneficial effects too. When should such speech be allowed?

The paper is a long and detailed discussion of this issues, with many examples. In the end, he asserts that crime-facilitating speech should be allowed except where (a) “the speech is said to a few people who the speaker knows are likely to use it to commit a crime or to escape punishment”, (b) the speech “has virtually no noncriminal uses”, (c) “the speech facilitates extraordinarily serious harms, such as nuclear or biological attacks”. But don’t just read the end – if you have time it’s well worth the effort to understand how he got there.

What struck me is how many of the examples relate to computer security or copyright enforcement. Many security researchers feel that the applied side of the field has become a legal minefield. Papers like this illustrate how that happened. The paper’s recommendations, if followed, would go a long way toward making legitimate research and publication safer.

Cisco Claims Its Product is a Trade Secret

I wrote Friday about the legal threats by Cisco and ISS against researcher Mike Lynn, relating to Lynn’s presentation at Black Hat about a Cisco security vulnerability. The complaint Cisco and ISS filed is now available online. Jennifer Granick, Lynn’s lawyer, has an interesting narrative of the case (part 1; part 2; part 3; part 4).

The complaint claims that Lynn wronged ISS, by giving a PowerPoint presentation that was copyrighted by ISS (because Lynn allegedly prepared it as a work for hire), and by violating the NDA he signed as a member of ISS’s board of directors. The complaint also claims that Lynn wronged Cisco by including snippets of its copyrighted software code in the presentation, and by presenting Cisco trade secrets that had been misappropriated.

The trade secret misappropriation claim is the most interesting one. Cisco’s argument goes as follows. The executable machine code that ships with Cisco routers is a trade secret of Cisco. Customers agree to a contract in which they promise not to disassemble the code. ISS agreed to that contract. Some unspecified person disassembled the code, in violation of the contract, to get information that was used in Lynn’s presentation. Lynn knew that the information was acquired by breach of contract and therefore was a misappropriated trade secret. Lynn disseminated the information anyway.

[Oddly, the complaint incorrectly refers to the executable machine code that ships on Cisco routers as Cisco’s “source code.” This false characterization looks deliberate – it is made repeatedly in the documents, and even occurs more than once in the two-page declaration signed by Cisco’s Vice President for Customer Support. Lawyers in a hurry might make this mistake in their papers, but it’s hard to come up with a charitable explanation for how this mischaracterization occurred twice in a very short statement under oath by the VP for Customer Support. Does he really not know the difference between machine code and source code? Does he not know which kind of code Cisco ships on its routers? Did he not recognize that the code in the presentation which he claims to have reviewed was not source code? Did he sign the declaration under oath without reading it carefully enough to catch such a simple error, which occurred twice in a document with less than one page of text? Or did he know about the error and sign anyway? He could easily have corrected the error himself by deleting or crossing out the word “source” before signing.]

Any discussion of this argument has to start with the obvious: Cisco is claiming that part of its product is a trade secret. The software is key to the product’s function, and Cisco sells the product to essentially anybody who wants it. It’s hard to think of any reasonable sense in which this can be called a secret. (I know that legal definitions of terms like “trade secret” aren’t always intuitive, but still, this seems a bit much.)

It’s also pretty clear that the alleged harm to Cisco from Lynn’s action was not the kind of harm that trade secret law was meant to prevent. There is no real argument that the brief snippets of code in Lynn’s presentation (2MB PDF) would help Cisco’s competitors improve their products. The reason Cisco wanted to prevent Lynn’s presentation is that it wanted to keep truthful information about flaws in its products out of the hands of the public. Why should information about product flaws be considered a trade secret?

As I argued on Friday, ISS is in a difficult position. The complaint alleges that ISS agreed not to disassemble Cisco’s code. It does not assert that Lynn himself had agreed not to disasssemble the code, and it does not accuse Lynn of directly misappropriating the secrets. It only says that Lynn knew that they had been misappropriated. The complaint essentially accuses ISS of misappropriating the trade secrets. Which is interesting, considering that ISS was one of the parties that filed the complaint.

Jennifer Granick, Lynn’s lawyer, also had her doubts about the trade secret claim. It would have been interesting to see the claim litigated. Instead, Lynn, on Granick’s advice, decided prudently to settle the case. It’s one thing to talk about cases like this in the abstract; it’s another thing entirely to be in the legal meat-grinder yourself.

The only good news here is that Cisco seems to be getting what it deserves after the legal strongarming of Mike Lynn. Cisco’s efforts have only notified more people that its product has a serious security flaw, and that Cisco is afraid to allow independent evaluation of its products’ security.

Entertainment Industry Pretending to Have Won Grokster Case

Most independent analysts agree that the entertainment industry didn’t get what it wanted from the Supreme Court’s Grokster ruling. Things look grim for the Grokster defendants themselves; but what the industry really wanted from the Court was a ruling that a communication technologies that are widely used to infringe should not be allowed to exist, regardless of the behavior and intentions of the technologies’ creators. The Court rejected this theory.

Last week the Senate Commerce Committee held a hearing (a video stream is available) on the Grokster aftermath. This was a chance for witnesses representing various interests to put their official spin on the Grokster ruling. All of the witnesses praised the ruling and asked Congress to wait and see what develops, rather than legislating right away. But different witnesses put different spins on the ruling.

The entertainment industry line was presented by Mitch Bainwol of the RIAA, Fritz Attaway of the MPAA, and Gregory Kerber of Wurld Media (a music distribution service). Their strategy was essentially to pretend that the Court did give the industry what it wanted, and that P2P technologies were now presumptively illegal unless they had cut licensing deals with the industry. They didn’t argue this directly, but the message was clear. For example, they tried to draw a line between “legitimate” P2P technologies and others, where legitimacy was apparently achieved by signing a licensing deal with major recording or movie companies.

For example, in response to concerns from Mark Heesen of the National Venture Capital Association about venture capitalists’ fears of financial ruin from investing in even well-intentioned communication technology companies, Mr. Kerber said this:

It’s very clear how you get investment. The rules are there. We’re a P2P – we’re a real peer-to-peer – it’s centrally controlled, we can control that … we can respect the copyright holder’s wants during – through a contractual process.

And the way that investors realize that is when we go out and get deals with the record labels, movie studios; and … the venture capitalists do their due diligence, they call and they find out that … the content owner of these assets [says] yes, we will allow this to be transferred and distributed and sold … within – on the network.

So … it’s very, very clear. If you have a contract with a major label, indy label, movie studio, publisher, what they have said is, we will allow the content to be sold in this manner across our network. So I’m a little confused by – there’s an absolute clear path for an investor to understand what’s right and wrong in the process.

It’s a simple message. Investing in technologies that have been blessed by the entertainment industry: right; investing in other technologies: wrong.

But it’s not what the Court said. The Court rejected the proposition that P2P or other communication technologies can exist only at the pleasure of the entertainment industry.

Despite this, we can expect to hear more of this rhetoric of “legitimacy”. And when P2P technologies continue to exist and be popular, we can expect calls for legislation to control the scourge of “illegitimacy”.

ISS Caught in the Middle in Cisco Security Flap

The cybersecurity world is buzzing with news about Cisco’s attempt to silence Michael Lynn’s discussion of a serious security flaw in the company’s product. Here’s the chronology, which I have pieced together from news reports (so the obvious caveats apply):

Michael Lynn worked for ISS, a company that sells security scanning software. In the course of his work, he found a serious security flaw in IOS, the operating system that runs on Cisco’s routers. (Routers are specialized computers that shunt Internet packets from link to link, getting them gradually from source to destination. Cisco is the leading maker of routers.)

It has long been believed that a buffer overflow bug (the most common types of security bug) in IOS could be exploited by a remote party to crash the router, but not to seize control of it. What Lynn discovered is a way for an attacker to leverage a buffer overflow bug in IOS into full control over the router. Buffer overflow bugs are common, and Cisco routers handle nearly all Internet traffic, so this is a big problem.

Lynn was planning to discuss this in a presentation Wednesday at the Black Hat conference. At the last minute Cisco convinced ISS (Lynn’s employer) to cancel the talk. Cisco employees ripped Lynn’s paper out of every copy of the already-printed conference proceedings, and ISS ordered Lynn to talk about another topic during his already-scheduled slot in the Black Hat conference schedule.

Lynn quit his ISS job and gave a presentation about the Cisco flaw.

Cisco ran to court, asking for an injunction barring Lynn from further disclosing the information. They argued that the information was a trade secret and Lynn had obtained it illegally by reverse engineering.

The parties have now agreed that Lynn will destroy any documents or files he has on the topic, and will refrain from disclosing the information to anyone. The Black Hat organizers will destroy their videotape of Lynn’s presentation.

What distinguishes this from the standard “vendor tries to silence security researcher” narrative is the role of ISS. Recall that Lynn did his research as an ISS employee. This kind of research is critical to ISS’s business – it has to know about flaws before it can help protect its customers from them. Which means that ISS can’t be happy with the assertion that the research done in ISS’s lab was illegal.

So it looks like all of the parties lose. Cisco failed to cover up its security vulnerability, and only drew more attention with the legal threats. Lynn is out of a job. And ISS is the big loser, with its research enterprise potentially at risk.

The public, on the other hand, got useful information about the (in)security of the Internet infrastructure. Despite Cisco’s legal action, the information is out there – Lynn’s PowerPoint presentation is already available at Cryptome.

[Updated at 11:10 AM with minor modification to the description of what Lynn discovered, and to add the last sentence about the information reaching the public via Cryptome.]

Update (1:10 PM): The FBI is investigating whether Lynn committed a crime by giving his talk. The possible crime, apparently, was the alleged disclosure of ISS trade secrets.