International Treaty on Cybercrime... Read the Fine Print
Misc.
3/24/2001; 7:37:03 PM '...if you counsel U.S. corporations on computer-related issues, you should be concerned about a new proposed treaty known as the "Convention on Cybercrime." The Council of Europe, a 43-nation public body created to promote democracy and the rule of law, is nominally drafting the treaty. Curiously, however, the primary architect is the United States Department of Justice.
2600 DECSS REPLY BRIEF FILED
DVD & DeCSS
3/23/2001; 11:56:23 PM 'Our legal team has filed a reply brief responding to the claims made by the MPAA, US Government, and various majorleague sports entities. A great deal of work went into these briefs and they've really outdone themselves. Our deepest thanks go out to all of those at the EFF, FGKS, and everyone else who helped make it happen.'
Napster Says It's All Confused
Music & MP3
3/22/2001; 8:57:38 AM
Certain people's chortling about how Napster could suddenly filter their music was premature; technology didn't magically make a leap allowing Napster to do the impossible and now, right on schedule, Napster's having trouble filtering the files:
'While song-swapping through Napster has dropped sharply since the company began policing its system, the file-swapping service reported Wednesday that it's having difficulty complying with a court order requiring it to remove copyright material....
ACLU and ALA fighting Library Filters
Censorship3/21/2001; 11:47:11 AM This has been reported recently by many media sources, but I was holding off until I could find the actual complaints. Here they are: The ACLU's complaint is at http://www.aclu.org/court/multnomah.pdf and the ALA's complaint is at http://www.ala.org/cipa/cipacomplaint.pdf .I've been thinking about library filters lately (it came up on the weblaw list) and I think the answer lies in neither approach. Why do we [think we] need library filtering? There are two reasons: One, we don't want "little Johnny" stumbling upon inappropriate content, and we don't want the other library patrons subjected to inappropriate content. "Inappropriate content" applies to both reasons, but they are quite seperate reasons in reality.Most filters use a blacklist to filter out inappropriate content, thus trying to kill both birds with one stone. The blacklist is created by humans, and thus is inevitably inaccurate, out of date, and highly subjective, because being listed on the blacklist requires an active judgement call, "This site is inappropriate." It does such a horrible job of filtering out that inappropriate content that it should not even be considered for the job. Blacklists can't even do a good job in computer science theory; as you might expect the real world implementations are even worse.There are two prongs to the problem, I think two prongs to the solution are necessary as well. First, I think Johnny should be protected by a whitelist approach, not a blacklist approach. (A whitelist is a list of permitted sites, and you can only visit those permitted sites.) A government provided whitelist is much more reliable then a blacklist. It's not 100% (whitelisted sites might be hacked, bought by another party, etc.), but it should be practical to do well in excess of 95% reliability.To be listed on a whitelist, a site need merely be useful and appropriate. Not being listed on a whitelist implies nothing about the site. After all, what are the odds iRights will show up on a whitelist any time soon? I'm too small to care about. This eliminates the debates over the inaccurate catagorization of sites.You might find the suggestion of a whitelist approach strange coming from a ''free speech'' activist like myself, but there are two reasons I think this is acceptable. First, like it or not, the "little Johnny"'s we are talking about do not have much in the way of free speech anyhow. Two, libraries are whitelists. You can not obtain arbitrary content from a library, you can only get what they have there, or can get there. Only approved content gets into a library anyhow, and a library has some sort of standards for approving that content. Whitelists are essentially already considered acceptable for libraries and children, even if the reason was economic reality rather then philosophy.The other prong is the protection of the other patrons. That's actually doable right now, and needs no new law. People over the age of 18 should be able to request unfettered access, or sign their children up for it. At that point, all controls are off. But most of things people are worried about... "What if some pervert comes in and views porn where everyone can see it?"... are already illegal. That's sexual harassment, or harassment of some form... there may not be a court precedent for it, but it would not be difficult, I think. What more could a prosecutor ask for then a "sexual harassment" charge?Tools can be made available to make this easier, like making it easy for the librarians to monitor the contents of the computer screens. Mandate some minimal level of supervision if you like. But if Big Johnny wants to visit the KKK's web site, he should be able to... just as Big Johnny can probably check out books on the KKK too. Just because one visits a site does not mean one agrees with it! Making a big deal or using that site to harass people would be, well, harassment... same as if Big Johnny started thumping on the book in the middle of the library and telling all the African-American patrons about how right the KKK is. That's already harassment, why create new, untested laws for just this particular kind of harassment?When I look at the issue with clarity, and seperate the parts rather then mix them all together, I find I'm not certain which of these problems the conservatives pushing this intend to address. I think that for a lot of them, these two problems are inseperably confounded together, and they'd be happy to filter adult's access to the 'net (assuming filters work, which they are willing to lower their standards for if that's what it takes). This indeed should be fought, and in this case I support the ACLU and the ALA... even though they'd probably fight my scheme with equal vigor 
Sweaty Scenes from the Life of a Censor
Censorship
3/21/2001; 11:30:27 AM A story from a real-life AOL censor. It's interesting to see the "other side" of the issue, that of the human censors.
Websites forced to reveal user identity Country Watch: Britain3/20/2001; 6:09:31 PM 'A High Court judge has told two UK websites to reveal which user was behind defamatory messages placed in discussion groups. 'Legal action launched by net company Totalise has ended with the financial websites the Motley Fool and Interactive Investor International being forced to hand over the identity of the user who was only known online by a nickname. 'The ruling could have implications for any website that lets people post messages anonymously.'Note this does not appear to be a case of borderline libel, with the author being sued just so the libelled party can unmask them and subsequently drop the case. Apparently, this is a clean-cut case of libel and the libelled party does intend a full-fledged lawsuit. This I have no problem with.
.Net demystified: What you must know Privacy from Companies3/20/2001; 8:52:06 AM 'Suppose, for a moment, that everything could talk to everything else. Your calendar could get information from and supply data to your documents, or your cell phone, or someone else's calendar and cell phone. Your computer's desktop could tell you that your dry cleaning is ready or your bank account is overdrawn....''To do this, Microsoft wants to know everything: the information in your user profile, address, and application settings; what devices you use; what's in all your documents; your favorite Web sites; where you are at any given moment; your credit card numbers and payment information; the contents of your personal calendar, contact list, and e-mail inbox; and probably a few things I've left out.'The article discusses the possibility that somebody will hack this datastore because it's a tempting target. Do the basic analysis: "How hard is it to get into?" and "How tempting is the target?" Remember, security is never perfect, so this analysis is based on the idea that you need enough to make what's being protected not worth breaking the protection.The answers aren't encouraging. "How hard is it to get into?" Not to bash Microsoft, but security has never been on their priority list. Granted, there are exploits for every system, but at least the BSDs care about security, and the Linux people do on some level as well. Microsoft does not really have a track record for caring. I'd guess security will be relatively easy to crack, at least at first. (Actually, this would be sort of fun. Maybe I should learn more and do some white-hat work for .Net. Then again, my plate's full as it is.) How good they can make it will be an interesting to watch. Also note that it's not just Microsoft's security that can be breached. Depending on the software being run against Microsoft's services, you might be able to crack that somehow. If enough people are using some third party solution, that third party solution could open holes, even if Microsoft does their job perfectly. It's an awfully large system, with an awful lot of ways into the primary datastore... surely one of those ways will end up being insecure."How tempting is the target?" Let me ask it another way. "Can you imagine a more tempting target?" I can... Microsoft's servers probably don't have your social security number... but that's about it! Credit cards, buying history (if you're going to commit credit card fraud, buying histories are a great help; you can try to fit into the pattern of spending on the card so nobody notices anything amiss), e-mail (which isn't always just saying hi to friends; think industrial spying), what more could you ask? With a target this tempting, .Net will be the target of every cracker worthy of the title. What are the odds Microsoft will stop every last one of them?With a target this tempting, rock-solid security will be necessary, security to challenge the likes of the NSA and CIA. I for one definately won't trust anything important to Microsoft.I must admit I'm surprised at this centralization business. When you can buy a 40 GB hard drive for 100$ and have it on site, with the extremely high bandwidth and great low latency that only a hard drive stuck in your actual computer can provide, why move so the data off the desktop machine? It's great that you can, there's power and flexibility in this architecture, but there's nothing in the architecture that necessarily implies that the data has to be housed by a central repository. You should be able to set up a net-connected desktop as your data-store, and tell any .Net component to use it. Maybe you can and I just haven't heard about it. I sure hope so.
Human Justice for Human Beings
Essays
3/19/2001; 12:41:45 PM 'The 1950's science fiction authors were half-right. We will be enslaved to machines, but it won't be because they rose up and overthrew their creators. We will voluntarily enslave ourselves to the machines because it is cheaper in the short term.'
Glenn Fleishman on Gilmore and Censorship
Censorship
3/18/2001; 12:28:38 AM
Glenn Fleishman saves me the effort of writing that essay Suffice it to say I agree wholeheartedly.
'Crying 
Defeating E-mail bugs and Spyware on Windows
Protecting Yourself
3/17/2001; 7:28:09 PM
You can't quite eliminate spy-ware with these techniques, but you can make a massive dent in them.
About a year ago I found a product called Zone Alarm, which bills itself as a free personal computer firewall program. It's not quite what I'd call a firewall, though, in that it takes a decidely non-traditional approach to the problem. Basically, it grants and denies permission to access the internet on a per-program basis, independantly for home networks and the Internet. For instance, you can tell this program to allow your browser full access to the Internet, yet some internal corporate program access only to the local net. Or you can allow programs to go out to the net, but not accept connections (or vice versa).