Re: DCMA, TI, Calculators, and more [Jennifer Granick] Sep. 25, 2009

MS owns the network and can do any damn thing they want with it. It's their choice. Don't like it, don't buy an Xbox.

Re: DCMA, TI, Calculators, and more [Jennifer Granick] Sep. 25, 2009

And it seems that Microsoft has cut off, last I heard the number could be 1 million XBox users who mod'ed their XBoxes. MS says they are using pirated software. First thing that came to mind is that they were playing backups copied from the originals. Ya sure, there are probably quite a few "pirated" games, but MS just cut them off permanently. They have to buy a new unit if they want to play online. OUCH!.
http://www.telegraph.co.uk/technolog...Xbox-Live.html

If the 1 million units can be believed then that would mean $299 per unit that would have to be "re-purchased". In my mind at least half will go Sony's way. That means that Sony may get a $150,000,000.00 boost.

Re: DCMA, TI, Calculators, and more [Jennifer Granick] Sep. 25, 2009

best example of that these days... the Android platform for mobile handset devices. because it's wide open and people can just develop whatever they wish, loads of features that the community wants become perfected and rolled into the latest version of the system during official releases.

my rooted Magic phone had multi-touch, for example, long before most T-Mobile customers. however, it had occasional weirdness... then it got better a week later. now, with the latest update to Android, all customers are officially getting multi-touch display capability.

compare the loads of apps that Android does really well with sister applications on the iPhone that don't quite work properly... i really fail to see how anyone doesn't grasp the huge groundswell of support and new ideas that openness feeds.

yes, you get occasional customers figuring out how to tether their phone as an access point (with is really fucking useful, i have to say) or routing data around in order to get basically unlimited everything for $5 per month... but that's the exception, no the rule.

for every one person doing that, i'd bet you have 100 people who are thrilled with the "new" things their phone keeps supporting... all because of tinkerers posting on forums and coming up with new ideas.

Re: DCMA, TI, Calculators, and more [Jennifer Granick] Sep. 25, 2009

Just some 2 cents worth...

A number of things that TI (and possibly others) are missing is that when "tinkerers" get a hold of something and enhance an item, word gets around and they most likely wind up selling more of that item. I think I have ruined more things than I successfully modified over the past 35 years. TV's, radio's, telephones, computers (trs80, sinclair z80 etc). A lot of times I went out and bought a second one (after a while, if i could afford it, 2 right off the bat). Some develop a cult following, the WRT54GL comes to mind. I remember Popular Mechanics making the Z80 a popular mod product. No one complained, either they ignored it as inconsequential or they smiled knowing more were being sold.

The problem stems from business majors who have no idea what the true technological potential of their product is. All they see is $$$ and what they perceive that they could be losing. Take a look at how companies treat IT now a days. They don't see the technology as the asset, they see the perceived usefullness (their definition) in terms of the money they are losing or costing them (same effect). It seems that the more business types (read MBA's & lawyers) try to control something, the more that it is evident that they have no idea of the true potential the technology or technologists that they employ. Hence the limited view.

They think they are protecting their intellectual property when all they are doing is to alienating a group of people who have become experts by their tinkering. And we all know about word of mouth. My mother may not know a thing about anything technical, but she does ask me what I recommend.

Let's put it this way: if a product withstands my abuse and still works, wow!

thx0027

Re: DCMA, TI, Calculators, and more [Jennifer Granick] Sep. 25, 2009

Yes. And because by your definition I am a "dark arts" researcher, I have nothing else to state. Thank you for a well thought out commentary.

Regards,

valkyrie
__________________________________________________ _
sapere aude

Re: DCMA, TI, Calculators, and more [Jennifer Granick] Sep. 25, 2009

Perhaps a result of this kind of legal abuse of the DMCA will push R&D of products purchased by consumers into an underground, or outside of the US. Researchers with good intentions and a desire to learn about systems will continue to learn about systems. Instead of publishing their work and research, they will instead trust their research with peers in private groups. Specialists will work in private to refine their results, and any number of P2P networks will allow for anonymity of distribution of exploits, and gpg could provide signatures for authors and still retain anonymity.

Does this sound familiar? It should. Consider the piracy and copy-protection "cracker" groups that defeated various kinds of copy protection during the 1980's. They kept their secrets within their groups and did not offer trust to outsiders. Anonymity wasn't as strong as the technology and BBS were obscure, but the systems of defense were somewhat effective in its time.

But 30 years later, discouraging analysis of products has even greater risk. Now, we have even more of our world dependent upon increasingly more complicated systems, and these systems take advantage of layers of abstraction as components by relying on other systems which can rely on other systems. As systems that include firmware, code, or procedures protected with legal threats and "fines" imposed against researchers are integrated into increasingly more complex systems, the larger system will be increasingly burdened with, "unknown," problems -- at least unknown to the public.

Of course there is a difference between the 1980's with copy protection cracking groups and the world today:
* governments are encouraging employees to discover weaknesses in systems used by, "the enemy."
* groups of people have created organizations that have hierarchical structures similar to mafia groups, and deal in scams, or spam on the Internet
* and there are still independent researchers that don't work for either but find learning about systems enjoyable.

What do you (the reader, any reader) know about the complexity of probability when taken, not as an individual event, but as a combination of events? Assume you have several 10-sided dice. Each one refers to a component, subsystem, bit of software, firmware, or service. If each of these has a 1 in 10 chance of having a defect, then what happens when they are all joined and end up working together? It isn't still just a 1 in 10 chance for the whole system to be broken, or exploited. There is a 1 in 10 chance for each part, and if we don't roll a 1 for the first subsystem then we can always roll again for the next subsystem.

One way to consider this is to look at what the chances for an event to not happen with each try and then subtract that from an absolute certainty. So, 1.00-(1.00-0.10) is .10 or 1 in 10 that you would roll a 1. But if you didn't roll a 1 the first time, might you roll a 1 the next time? 1.00-((1.00-0.10)^2) = 0.19 or nearly 1 in 5. With 10 systems, 1.00-((1.00-0.10)^10) = .6513215599... and with something like a power station with many systems and some system running operating systems with their own applications, the scale of complexity could exceed hundreds or thousands. At 100 such systems, .9999734387, which is like 99.99% likely, and at 1000, .9999999999999999999999999999999999999999999998252 128748277348..... (of course, my math is a bit rusty, so i hope I did this correctly.)

In the end, it would seem that legal abuse with the DMCA will continue to make reverse engineering and cryptanalysis into "dark arts" and force these researchers to find ways to retain anonymity while continuing their research. Systems will be exposed to unknown weaknesses and the people that understand the weaknesses will be afraid to step forward to reveal the problems to they can be fixed. Meanwhile, members computer criminal groups or foreign intelligence will learn about weaknesses. The only groups that won't know about the risks will be the defenders, the manufacturers and the consumers.

Anyone care to comment? Is the DMCA and its legal abuse going to harm full disclosure and push related research underground?

Re: DCMA, TI, Calculators, and more [Jennifer Granick] Sep. 25, 2009

This question can be answered in many ways from many perspectives, much like how the cases involving the DMCA are open for interpretation by a judge. My own opinion would be very much. There is always the risk of legal action from the companies using the DMCA to protect their assets, be it for profits/trade secrets, or the proverbial ass covering/security through obscurity. Their reasoning really means little in a courtroom, as they are not the ones on trial if you will. It's up to the researcher/defendant to prove that their actions are not infringing on what the plaintiff "owns". This is where it can become hinky when it comes to litigation happy corporations who take the "don't use it for anything we don't tell you to, or we'll sue your ass" approach.

With the calculator example, I can't at all see how this would impact TI's profits, other than their sales being boosted. The potential to load a homebrew OS, and take more advantage of the hardware only increases marketability, while their trade secrets, and proprietary designs are still legally protected.

Implying or projecting the threat of lawsuit for tinkering, researching, reverse engineering, etc. really does limit the amount of people willing to do it, and thus limits not only the real security of a product, but the overall advancement of the technology. When something is broken, but not publicly known to be broken, that's when the real security threats evolve, we've all seen it in virtually every aspect of technology.

Absolutely not, security through obscurity has proven time and time again to be a bad idea. When the security measures of a product are researched by those wishing to improve them, technology advances. When the security measures of a product are researched by those wishing to exploit them, damage is done to the consumer, and the producer. The former of these examples is the more likely to go public.

Unfortunately not through any examples I've been able to find. The only feasible way to avoid said "fines" would be anonymous research and dissemination. And that in it's own right is a big risk to a company. If someone fears legal action for their research, they are less likely to bring their findings to said company before various public outlets. Currently that I'm aware of, there is no other repercussion for these companies. They simply don't risk much from filing these kinds of suits. If they lose, there is little to nothing at stake in the big picture.