Mar 17, 2001

Record Industry Plays Both Sides
Music & MP3
3/17/2001; 6:35:59 PM '...Record labels are poised to conquer cyberspace with their own streaming and downloading services.

'Ironically, only one thing stands in the way: copyright.

'Record companies aren't the only ones that hold copyright on music recordings. Music publishers, who represent lyricists and composers, do too -- owning the rights to the piece of music itself. For every copy a record company distributes, the publisher gets a small cut. That's how the people who write the songs get paid....

...the Rodgers and Hammerstein Organization and the Songwriters Guild of America, along with other artists and publishers, [have] sued Universal's new website, called the Farmclub Online, for letting users download music without paying royalties to the people who wrote and published the songs.'

Resisting the tempatation to just chortle with glee at the RIAA doing a quite sudden 180, it's worth remembering that the RIAA is essentially correct in one critical way: Copyright complexity is increasing exponentially, and to do something, anything, new to a song or other peice of "content" is prohibitively complex.  Copyright law does need to be boiled down and simplified.

I will chortle with glee that the RIAA has learned the hard way that their own desired copyright regime has come back to bite them again (as it always does). I knew this would happen, it always works like that. For instance, if the software industry (as a whole) continues down the path it is travelling for incredibly restrictive patent regimes, the industry as a whole will suffer immensely in the long term. For RIAA, that "long term" just came sooner then it might have.

Mar 14, 2001

Better Business Bureau tries to stop Web links
Free Speech
3/14/2001; 9:09:35 PM 'The Better Business Bureau is demanding that an Israeli company's Web site take down its link to the consumer protection organization.

'The demand raises new intellectual property questions about how companies protect their names and logos online. A trademark expert said that the group has little chance to enforce its demand in court....'

'Zialcita said the bureau allows links from the news media, government agencies, schools and bureau members. She said the organization also allows links to search engine sites because ``we can't stop them.'''

ROBOTS.TXT, anyone? (Granted compliance is voluntary... all compliance in this case is volunatarily.)

Their argument:

'The e-mail from Beth Zialcita, a trademark enforcer at the organization, says the link ``may imply or mislead consumers into assuming that our organization supports your business or that there is a business relationship between us.'''

I'm sorry, but the position that people routinely interpret links on the Internet as "support" or "business relationships" is absurd. Does anyone reading this site seriously think I'm employed by Wired merely because I post a lot of links to them?

Also not in the article, the e-mail contains the phrase 'In addition, materials from our web site is [sic] copyrighted, and, therefore, cannot be linked to without permission from the BBB.'  That is one heck of an "however"! I'd like to hear a little expansion on that logic there. Are they seriously claiming I can't point people to the Better Business Bereau home page simply because it's copyrighted? Which exact "right" in "copyright" bans me from referring to the BBB?

BTW, that's not the first time I've linked to them, although it's not on this site. I once actually pointed somebody to them because they wanted to get help with the kind of problem the BBB is supposed to exist for. The irony of an entity like the BBB, who you'd think would want every link and bit of publicity it could get, trying to suppress information about its existance is astounding.

Mar 14, 2001

High-tech titans put the squeeze on privacy regs
Privacy from Companies3/14/2001; 11:45:29 AM 'Aiming to halt the advance of dozens of privacy bills in Congress and in state legislatures across the country, the group Monday went public with four industry-funded studies asserting that privacy legislation would cost consumers billions of dollars annually.' 'Led by the Online Privacy Alliance in Washington, the loosely organized campaign is attacking legislative proposals on three fronts: identifying expensive regulatory burdens, raising questions about how any U.S. Internet law would apply to non-Internet industries, and assuring lawmakers that privacy is best guarded by new technology, not new laws.'I won't simply claim these studies are fallacious (though the people conducting the study clearly said they had not considered all factors (specifically, the increase in spending due to increase in confidence, though who knows what else they left out?)), but I can't imagine taking them at face value. Aside from the fact that these studies were bought (why does anyone bother reporting on studies that reflect exactly what the people buying them wanted them to say? Only the opposite would be newsworthy), the results may still not mean anything. Regulation is always expensive. Cars would be thousands of dollars cheaper without regulation. This is not speculation, this is an observation; I've seen a car being produced for China that can be made and sold for a few hundred dollars. It's made out of wood and canvas and has the cheapest imaginable engine in it. The windshield wipers are used by hand. In a crash at an significant speed, it would provide no protection whatsoever. You can even make a case that the majority of a car's price is due to regulation (though it depends a lot on how you draw the lines). So... should we deregulate cars just because it's expensive? No, because the benefits of safe cars outweight the costs.The argument that "Privacy is too expensive" assumes that there is some definition of "too" expensive. Simply tossing about billions of dollars in expenses (chump change, really) is not sufficient to prove "too-expensiveness", especially in a study that doesn't consider all the variables. The real question is, "Is privacy worth the cost?", and I personally would say yes (assuming there is a cost, which I do not necessarily concede). (Granted, privacy isn't as directly a live-or-death matter as car safety... nevertheless we are talking about real harm to people.)Oh, and of course, to look at it another way, "If we aren't allowed to abuse our customer's sensibilities and privacy, then we may not be able to make as much money" is an extraordinarily greedy and childish argument.

Mar 13, 2001

Banner Ads Now Themselves Have Banner Ads
3/13/2001; 11:28:50 AM 'The basic problem," says Marcos, "is that banner ads are expensive to run. Organizations like DoubleClick whose business is to provide the public with banner ads are hemorrhaging cash. It just can't be done by hobbyists anymore. That's why we're stepping in and providing commercial sponsorship for banner ads, in the form of banner ads."'

Mar 13, 2001

Copy This! Can 'Military' Technology Beat Digital Piracy?
3/13/2001; 11:05:44 AM

'A small Austin start-up run by intelligence community alums is parachuting into the burgeoning, post-Napster, copy-protection market with a remarkably thin, invisible software product that claims to offer nearly invincible armor for music, video, film and e-books alike....'

'The InTether system consists of a packager, used by the originator of a file, and a receiver, used by the recipient. The packager enables a publisher, record label, movie studio -- or, for that matter, a law firm, doctor's office, bank or anyone else who wants information security -- to impose a set of restrictions on almost any digital file. InTether, Friedman says, works equally well with, for instance, Word, Adobe Acrobat, Lotus or Excel documents, e-books, music, video or photographic files....'

'In response to a detailed e-mail describing how InTether works, encryption expert Bruce Schneier responded dismissively, predicting in a sentence that InTether would fail. Schneier, who is the chief technology officer for Counterpane Internet Security, which provides network security services for businesses, appended a short essay of his, entitled, ''The Futility of Digital Copy Prevention,'' which he apparently believes is sufficient to outline the inherent flaws of all digital-rights management technologies.'

The author of the article seems to think he was too flippant, but Bruce is right. Read the article first, then read the rest of this commentary:

How to Crack InTether

Create a virtual machine, a la VMWare or Plex86 (which is open source, which when working makes this even easier for Joe Hacker). (If you don't know what VMWare does, visit the site. It's an awesome product, and it does everything they say it does.) Install Windows 95 (or actually any functional Windows that InTether supports) in the virtual machine. Install InTether into that copy of Windows. Load up an InTethered file. Copy with impunity using the host operating system's copying abilities.

If it's audio, have the host OS record it. If it's a picture, have the host OS snap a screenshot. If it's a file, heck, pull it directly out of memory. InTether can't do a thing about it, because you can pause the virtual machine entirely, if necessary, and InTether will remain there, frozen in time, while you attack the security with impunity. For video, grab the frames one at a time if necessary, because again, you can pause the VM as needed.

For any difference between the virtual machine and the real thing that Infraworks claims they can detect and thus use to refuse to run, fix the virtual machine so the difference no longer exists (because, by definition, it's a bug in the VM and should be fixed). The difference no longer exists, and thus InTether cannot detect that it is being emulated. This attack cannot be prevented indefinately by InTether; at best, a cat and mouse game will be played with the VM programmer and InTether, which will result in A: The VM being immensely improved and B: InTether eventually running out of exploitable differences.

Esp. after Plex86 becomes really capable, this attack will render InTether useless for the purposes of truly high level security. There is no way InTether can possibly tell that it's being emulated, period, no matter what they may claim, if the emulation is good enough (and it can be made good enough). Bruce was right, he just didn't have the time to crack it on the spot for the reporter (no surprises there; we're all busy). And as we all know, once somebody, anybody, has cracked a file, it can be distributed to anybody.

As for the knowlege level this takes? A large number of OS people could pull this off with impunity, probably any computer science grad student could do it, and certainly any dedicated hacker with actual knowlege of computers (i.e., not script kiddies) could do it. We're not talking black art here; and once Plex86 takes off, we aren't even talking heavy wizardry. If I had the time, inclination, and desire to help fix up Plex86, I think I could do it, pretty much by myself. InTether alone just doesn't raise the bar high enough to protect things as well as they seem to be claiming.

<- Future Posts Past Posts ->


Site Links


All Posts