Immutable Security

For the past couple of weeks, I have been reading with great interest the coverage of Sony deciding to bring suit against George Hotz. George, or GeoHot, as he is known, and others like him, hacked the PS3 after Sony removed the “Other OS” feature. It was this “Other OS” feature that appealed to people like George in the first place, since it allowed the more technical among us to use the PS3 in interesting ways–such as to run a custom version of Linux.

There are many elements to this story: Is What GeoHot did illegal, as Sony claims? Will it lead to more piracy? If it did lead to more piracy, would it even matter? Was what Sony did by removing a feature of the device illegal or unethical? But I think the two main questions above all are: Who owns the device, and How far does free speech go?

We live in an era where corporations are asserting more and more control over the devices we purchase. Unlike a physical book or a lamp, the technology of today allows for interactivity between the manufacturer of the product and the product, itself. Companies like Apple and Sony have attempted to use this to their economic advantage by restricting what valid purchasers of the product can do with their own device. They restrict what apps you run, if you can resell it, and can even take the product back on a whim. Make no mistake: the rights we have enjoyed over our own property are under full frontal assault. Companies like Sony would like nothing better than to convince you that you don’t actually own the product you purchased–that it is really just a long-term rental–that they get to decide the rules.

The other main question besides device ownership is: How far does free speech go? We already know that free speech is not unlimited. You can’t yell “fire” in a move theater and not expect consequences. But at the same time, we are actually very tolerant of free speech. The fourth ammendment guarantees the rights of white supremacists just as it does those whose speech we find copasetic.

“But, wait!” observant readers will say. Sony is not the government and this is a civil issue. If Sony thinks it has been harmed by the free speech that is the release of the private key, they have a right to address that in the courts. Surely, if the secret formula to Coca-cola were to be released, you would expect an army of lawyers to descend on that person.

While it is true that speech can harm a company, a large corporation like Sony can’t necessarily be expected to win a case just because it doesn’t like someone’s speech. They actually have to prove harm in some way, be it libel, slander, trademark infringement or what-have-you. If that weren’t true, and if the law didn’t provide some protection even in cases where the government wasn’t involved, companies like Sony would successfully sue every security researcher every time a new flaw is found.

This case is not about piracy. If George is to be believed, he has never used the Sony online service, never assented to the EULA and never pirated a game. This is about Sony attempting to send a message: The PS3 is ours, not yours. Play by our rules or we will ruin you financially. To anyone else: freely discuss the hack, or, for that matter, look at it, and we will come after you, too.

I have considered everything from staying completely silent on this issue–certainly the safe choice career-wise–to getting a tattoo of the leaked key. But I can stay silent no more. Sometimes you have to speak up for what you believe is fair and right. And I believe it was fair and right for George Hotz to use his device in any way he chose to. I believe it was wrong for Sony to remove a feature that people paid for and had a reasonable expectation to be able to use. And I believe it is right for everyone to freely and openly discuss the hack, including the key, so that they may use their own device in any way that does not involve piracy, and to further the discussion about what device security means.

If the facts are truly what they appear to be, then I support George Hotz and I wish him well in his case.

When I bought a laptop about three years ago, I booted it up, read the Windows Vista EULA and decided it wasn’t for me. A quick reboot and install of Ubuntu took care of my concerns and has served me well since then. So when that laptop bit the dust, I already knew that Windows wouldn’t be on the laptop long enough to boot to the EULA.

Even though I am using predominantly free software, there are trade-offs and decisions to be made. Do I want to use the free ATI driver at the expense of 3D acceleration and performance or the more fully-featured non-free version? Do I want to use the Adobe Flash player (from a company who had Dimitry Sklyarov arrested for legal activities in his own country) or the free-but-somewhat-buggy Gnash player? Would I be willing to give up contributing to OSSEC Windows Agent development, even though the agent, itself, is free?

Perspectives on software freedom range from purists such as Richard Stallman, who believe all software should be free, to people like my wife, who really don’t care and would rather just have it work. For myself, I am most interested in maintaining a healthy marketplace where free and non-free software can offer users viable alternatives–a marketplace that ensures information can be exchanged freely and easily. Using and maintaining proficiency in free software allows me to easily make that choice if the developer of a non-free software application presents unacceptable terms.

We’re entering a new era of computing. It’s an era where phones and tablets are finally making their mark, while desktop computing takes a back seat. It’s also an era where user choice is being annihilated by companies like Apple, who make it abundantly clear that they consider the device they sold to the consumer to still be theirs, and who act as the gatekeeper deciding exactly how you can use your device. It’s an era where the bundling of the browser to the OS is the least of our worries; now the companies control the entire platform.

Freedom is all about choice. It’s also about evaluating the trade-offs. When there is a clear free and non-free solution to my problem, I try to default to the free option. By doing so, I help to keep the ecosystem alive and thriving, which, in some small way, ensures the free flow of our information now and in the future.

Update: A perfect example of Apple trying to control the free flow of information can be found in this article, in which Apple is described as removing the Wikileaks app. It is not for Apple to decide whether or not its customers should be the consumer of such information on devices they own. Enough said.

When I went searching for a better interest rate for my emergency fund, I ran across a bank that offered over 5%, with relatively few restrictions. I thought this might be a good bank to work with.

So I set up an account, and immediately noticed some things that had me concerned from an information security perspective. The password length was limited to six characters, e-mails to their support contact resulted in a bounce message from two people who apparently no longer worked there, and they were leaking other information that gave me details about their internal network. This was all noticed without actively probing them in any way at all. Finally, when I brought the issues to their attention, the best response I got was that they were planning a system upgrade sometime around September.

In that case, the actual price to me of taking an action to protect my information security, assuming I had invested $25,000 with them, would have been almost $100 a month in lost interest.

Cost does not necessarily equate to price, though. Price can be expressly measured in very finite terms, where cost is often a collection of values. In the example above, we might say that the price is around $100 a month, but the cost could include stress, time and aggravation from a resulting security breach.

I am reminded of this lately with the recent news surrounding the backscatter x-ray machines currently in operation at US airports, combined with the “enhanced” pat-down procedures for those that refuse to go through the machine. I don’t think its too strong to say that we are left with the choice of having a revealing picture taken of us, or being fondled by a TSA agent.  This is the trade-off we are supposed to accept for enhanced security.

This might be an acceptable trade-off if the technology and procedures significantly reduced the risk of dying in a terrorist attack. But according to reason.com, the risk of dying in a plausible attack is actually far lower than the risk of dying by crossing the street, and this was before the machines. And when asked about the technology, Rafi Sela, a security expert at Ben Gurion airport in Tel Aviv, Israel, had this to say:

“I don’t know why everybody is running to buy these expensive and useless machines. I can overcome the body scanners with enough explosives to bring down a Boeing 747″

On the surface, it would seem that the machines simply aren’t worth it.

Now ask yourself how you would feel if the system stopped a major attack, and it could be shown that no other countermeasures would have stopped it? How would you feel if someone close to you was killed by a terrorist?

Or maybe the question is, how would you feel about your three-year old daughter being photographed by one of these machines?

These provocative questions go beyond the statistics to the essence of what we are–human beings. They at the same time expose our fears and our fallacies; our fear of attack and the fallacy of not being able to accurately intuit risk.

We’re being asked to pay a higher and higher price for our safety and security, but at what cost? Are these trade-offs worth it? Have we taken a rational look at the alternatives? Are we being led by fear, allowing our liberties to be usurped by largely ineffective security measures? Will our children accept this as normal and routine? How far will it go? Before you answer, could you have envisioned this even five years ago?

At what point will the answer simply be, “No!” Security always has trade-offs. What are you willing to give up in the name of security?

I had the good fortune recently to take a few days off. We decided to travel to a city a few hours away by train, a method of travel that is generally comfortable and relaxing.

Being a security guy, I couldn’t help but notice the lack of security. My ID was checked only once when heading to our destination, but not on the leg back. The guy obviously didn’t even look at it very closely and he didn’t use one of those little ultraviolet lights. My luggage wasn’t inspected at all, nor was my person. There were no metal detectors. All I noticed was a few cameras and a sign telling me to watch out for suspicious stuff.

It would have been trivial to load myself up with automatic weapons or even pack my suitcase with explosives. At a minimum, I could have destroyed the portion of the train I was on and killed everyone on it.

I got to thinking–in the post 9/11 world we live in, how could this be? Didn’t they think to secure the rail system? Wouldn’t an attack on the railway instill fear in America and be an easy target? Of course they must have thought about this. There must be other explanations.

Perhaps the intelligence indicates that the railway really isn’t a target. Perhaps Amtrak doesn’t have enough money to implement something like the airlines have, and since they haven’t been given a mandate or been taken over by the government, they haven’t done anything. Maybe it’s “in the works.” Maybe there aren’t enough resources to go around and this is at the bottom of the list.

Whatever the case, I came to realize that I really, really enjoyed the lack of security. I didn’t feel any less safe by not having my luggage swabbed. I realized that I most likely had a much higher risk of dying in the car on the way to the Amtrak station than I did by a terrorist attack on the actual train.

Would I feel differently if there had been a recent terrorist attack on a train, or if I had survived a terrorist attack anywhere? Possibly. But not having gone through that experience, I realize that fearing an attack on a train is a mostly irrational fear and a risk that may not be worth doing anything about.

Now the lack of on-board wi-fi is another matter entirely…

The new version of Ubuntu includes integration with the 7digital.com music store. No longer do open source users have to rely on proprietary applications like iTunes. They can now purchase good-quality music using only free software.

Like most other online music stores today, 7digital sells non-proprietary, but patent-encumbered MP3 files. This is leaps and bounds better than the DRM-laden files which used to be sold by stores like Amazon and iTunes.

And while there is a bug which discusses some of the issues surrounding relying on a patent-encumbered format, rather than something free like Vorbis, there is one critical issue that free software users are not debating.

Allow me to demonstrate by quoting from the 7digital.com Terms and Conditions:

(i) You are authorized to use the Content only for personal, non-commercial use, and not for redistribution, transfer, assignment or sublicense, to the extent permitted by law.

So, unlike a traditional CD you buy at the store, you are contractually agreeing not to lend it to your friend, donate it to your library, or when you’re tired of it, throw it up on eBay for sale. In short, it makes it a breach of contract to share your music or even to sell it when you’re you have outgrown it or lost your job.

The Terms and Conditions continue:

(ii) You are authorized to use the Content on up to five authorized devices at any time. 7 reserves the right to limit the number of authorized devices further and the number of authorized downloads to comply with the wishes of its licensors.

And there we have the DRM. The difference here is that it is implemented in a contract, not in technology.

And just when you thought it might be over, they throw in this little gem:

(iii) You may not use Content as a musical “ringer” in connection with mobile phone calls.

Take all the fun away, why don’t you.

Ubuntu certainly isn’t the only one guilty of implementing the DRM through a contract rather than technology, but honestly, I hoped for better from a distribution that espouses to be freedom-focused.

If the free software community can accept this, what hope do we have for retaining the rights under U.S. copyright law that we have enjoyed for so long? If we contractually give up those rights on music, video and most importantly, books, what does that say for the future of the independent after-markets, fair use and archival?

One of the nice things about having your own blog is that you get to warn others about companies to avoid. One such company is Blooms Today.

We ordered flowers from Blooms Today quite some time ago and recently they have taken to sending me “checks” in the mail. These are checks for about six dollars and change. There’s a catch, obviously. If you cash the check then you’re agreeing to sign up for some kind of expensive recurring service, for which they will take the liberty of charging your credit card almost $200.

The mailing looks like a check you might receive from your employer or maybe even as a tax refund. It’s one of those tear-across-the-sides-and-top type of envelopes.

It’s a shame that companies have to stoop to the level of baiting you with dishonest sleaze-ball tactics such as this. Instead of interesting me in future business, they have only served to ensure I will not only never order anything from them again, but also warn others about their shady business practices. If I feel particularly ornery, I might even just send it along to my state Attorney General.

Beware and be safe!

My wife got an Apple iPhone over the weekend. It’s an amazing piece of technology. Apple has done a fine job adapting a traditional computer into a phone form-factor. It truly sets the bar at an entirely new level for portable computing. Of course, there’s also an integrated phone.

I emphasize that it’s a computer because it has all of the characteristics of a computer. With the iPhone, the phone is simply another application on the computer–not unlike a Skype application might be installed on your Windows computer.

Our models of computers and phones have strong, but mostly disassociated relationships. We have a history of using computers as an important extension of all sorts of information. We understand that allowing others to have total control over our computers in generally a bad thing, whether that someone is a government entity, corporation or script-kiddie. Phones, on the other hand, have traditionally been far less complicated. There is a pretty basic hardware device and a service provider. The risks are well understood.

As I was playing with the iPhone and trying to find ways to meet my wife’s IT needs, it became increasingly clear how little control I had over this computer. Without jailbreaking the phone, I had no way to get a shell, and therefore no way to collect logs, change passwords, harden the underlying OS, install intrusion detection, or do any of the other things I would normally do to a computer I managed. Apple was my only source for applications and only those applications which Apple approved of could be installed. My hands were completely tied.

Unless I jailbreak this phone and accept the risk of something else not working, or Apple breaking it in an update, and explore the ethical questions as a result of doing so, I am completely at the mercy of Apple for the phone security and functionality. My risk assessment is theirs. My acceptance of risk is their acceptance of risk, which undoubtedly is primarily influenced by their bottom line.

This goes far beyond risk management. Imagine the outcry if Microsoft only allowed applications which they permitted to be run on Windows. We would have a world entirely dominated by Microsoft.

We need to lobby our lawmakers to, without equivocation, absolutely require computing platforms to be open enough for fair competition and where one company cannot call all of the shots. This is not about open source, this is simply setting requirements for a heterogenous platform where the risk of total control of data is minimized.

As the world becomes more mobile, this will need to be increasingly recognized as an essential liberty.

From the “What can we do to stop terrorism, without actually addressing terrorism” department, comes the news that scientists are researching how to sniff out scared people at checkpoints.

In the research, scientists discovered that they could literally detect the pheromones produced when someone is afraid. That’s not so surprising, but what is mind-boggling is that one of the proposed implications of the research is to be able to identify “scared” terrorists.

I’m not even sure where to begin with this one, but let’s give it a try. Here are just some of the potential vulnerabilities in this stupid idea:

• Many terrorists seem to be so brainwashed into believing that they are about to get 72 virgins that they’re probably more likely to be a bit “happy,” rather than scared if you know what I mean.
• Sociopaths won’t be scared.
• When we recently took my three year old daughter through an airport checkpoint she probably would have been tagged. It would have been because they took her Cabbage Patch doll to scan for hidden bombs.
• We better hope there are no nearby spiders and arachnaphobes.

Do I really need to continue?

Fighting terrorism with stupid ideas like this only serves to take the focus off those areas where we need to pay attention. With limited resources, we can’t afford to divert our attention from those techniques law enforcement has been using for years and which are proven to detect and stop criminals.

This idea smells stupid because it is.

Who knew that a bunch of librarians could produce cool, online tools? Well, the folks over at the Copyright Advisory Network have done just that. Here are four tools to help you navigate the sometimes confusing and seemingly obscure US copyright law:

• The Public Domain Slider is my favorite of all of these tools. For example, did you know that a copyrighted work first published prior to 1923 is now in the public domain? That means you can use, sell, redistribute and do whatever else you want to all sorts of wonderful print, audio and video. Go ahead and post them to the file sharing sites and have a chuckle if you get a cease and decist letter.
• The Section 108 Spinner is primarily for librarians and archivists. Under certain circumstances, they get to reproduce entire copyrighted works. Those wiley librarians get to have all the fun!
• The Exceptions for Instructors eTool is for, well, instructors.  Just like librarians, instructors can laugh off all of those litigious attorneys who would rather they didn’t know their rights under copyright law.  Am I the only one picturing a teacher with a cape and a big © on their chest?
• Finally, the Fair Use Evaluator helps you to make a subjective determination whether your use is defensable as fair under the law. Remember, fair use of a copyrighted work does not require the permission of the copyright holder. Also remember that it is a defense to infringement, which means that a judge gets to decide if your use was fair once sued.

Until next time…

To the best of my knowledge (and I am not an expert), material produced by the government, (with certain exceptions) with taxpayer money is in the public domain. As well it should be. If we paid to produce it, it makes sense that we should have access to it. Public domain material is truly free. It is not copyrighted. It’s accessible to anyone for any reason to do anything they want with it. You can copy it, re-use it, make it into other works and make nice bird houses out of it.

Bill Harbaugh, Professor of Economics at the University of Oregon has challenged the Oregon Attorney General by posting the “Oregon Attorney General’s Public Records and Meetings Manual” online, in direct defiance of a warning from the AG.

The AG believes this is copyrighted material, despite his public position and despite that this is a guide which explains how one can access various public records. That’s an understandable position for the Oregon AG to take since they sell it for $25.

Today, I applaud Bill Harbaugh. This guy has a set. We need more people, and especially more well-educated and respected people to draw a line in the stand against abuse of copyright law. Remember, copyright law (at least in the U.S.) was designed to ensure a balance of rights between the creator and the recipient. It is not designed to give the creator absolute rights. At least in this case, it doesn’t even appear that copyright law should apply. It seems clear that this document should be in the public domain.

Way to go, Professor Harbaugh!