iRi

Toysmart suspends auction of customer list
Privacy from Companies
7/28/2000; 8:06:36 AM 'Objections to the sale of confidential customer information have driven Toysmart.com to temporarily pull its customer list from auction, according to the Massachusetts attorney general's office....

'"The debtor said that because of all of the objections being filed (against the sale of its customer list), no bidder was wanting to come forward," said Massachusetts Assistant Attorney General Pam Kogut. "All of the objections had chilled the possibility of a sale." But this does not mean Toysmart will no longer consider the sale of its list, she added.'

Yesmail.com versus MAPS: Lawsuit on hold Spam & E-Mail7/27/2000; 1:56:28 PM 'REDWOOD CITY, CA and CHICAGO, IL – July 25, 2000 -- yesmail.com, a leading outsourcer of permission email marketing services and technologies and a majority-owned company of CMGI, Inc. (NASDAQ: CMGI), and Mail Abuse Prevention Systems, LLC (“MAPS”) today announced that they have signed a Memorandum of Understanding which puts the previously reported litigation on hold, lifts the Temporary Restraining Order (TRO), and does not list yesmail.com on MAPS’ Realtime Blackhole List, pending further talks between companies. Executives from MAPS and yesmail.com are working jointly to clarify optimal practices for the email marketing industry for obtaining consumer permission and protecting against fraudulent registrations. The companies expect a formal announcement in the near future.'David Tolmie, CEO of yesmail.com, stated, “As discussions with MAPS have proceeded, we are both finding that the goals for yesmail.com and MAPS are very much in alignment. We are looking forward to being able to announce an agreement which will represent a very strong statement from both of us regarding policies and practices for consumer permission and protection in the email marketing industry.” 'Paul Vixie, Managing Member of MAPS LLC, stated, “Once we started peeling back the covers on this, it turned out that yesmail.com’s stated business interests and the policies they were willing to put in place made them ineligible for listing on the Realtime Blackhole List (RBL). We think that the details we’ll set forth in the final agreement in this case will outline a model for all companies in the electronic marketing field.”'Two days old; several people covered the suit, nobody covered this agreement; this is from the press-release archive at MAPS. I guess this means the issues at stake have essentially been pushed back into the corner.

Napster Stopped in Its Tracks Music & MP37/27/2000; 8:53:35 AM 'A federal judge today has ordered the company to stop assisting its users in the downloading of copyrighted music, a broad if surprisingly sudden decision that the popular MP3-swapping startup said would effectively shut down its service. The company vowed to appeal the decision immediately.'This is disappointing. While I don't know how the trial was going to be ruled, I thought the brief would have been enough to stop this on some perfectly legitimate grounds. In particular, I was under the impression that if some injunction would destroy a business, it could not be given. RIAA may have won this round, but they may have opened themselves up if they don't end up winning the trial to some stiff reparations if the injunction is later overturned. The stakes just went up, for both sides.'At today's hearing and in legal briefs, Napster has fallen back on a host of defenses.... Patel soundly rejected each argument, saying that none applied to Napster, whose primary purpose was to assist its users in finding and downloading copyrighted music. "You can hardly stand back and say, 'Gee, I didn't know all that stuff was ... infringing,' " Patel scolded Napster's counsel at one point. She also appeared unsympathetic to Boies' contention that an injunction essentially would shut down the fledgling service because it was impossible to know which of the songs it indexes are copyrighted. "That is the system that's been created, and I think you're stuck with the consequences of that," she said.'If Napster couldn't even stop the business-killing injunction, this case is over. This judge has already ruled. Prepare your appeal. (iRights coverage about the legal briefs filed to block the injunction.)

Joel on Software Does Issuing Passports Make Microsoft a Country?
Privacy from Companies
7/27/2000; 7:30:57 AM 'Am I the only one who is terrified about Microsoft Passport? It seems to me like a fairly blatant attempt to build the world's largest, richest consumer database, and then make fabulous profits mining it. It's a terrifying threat to everyone's personal privacy and it will make today's cookies seem positively tame by comparison. The scariest thing is that Microsoft is advertising Passport as if it were a benefit to consumers, and people seem to be falling for it! By the time you've read this article, I can guarantee that I'll scare you into turning off your Hotmail account and staying away from MSN web sites.' Always read what Joel has to say. 'Now, if you go to another Microsoft web site, say, www.investor.com, the same thing will happen: you'll get redirected to Passport and then back to Investor. Because Passport is "telling on you", even though your web browser is supposed to be protecting your security by following the golden rule of cookies, it's really Passport that is signing you in. Bottom line: Hotmail knows that you're the same person that just went to Investor. And that applies to any Microsoft web site: Slate, Expedia, Hotmail, Investor, MSN, etc.' I'm not much of a source hacker, but when Mozilla gets released, there's a patch I hope to make. I want to 1. Flat out block ALL use of "window.open" from anything but a click on a link. 2. Always pop up a warning about redirects such as the one Microsoft is currently using for Passport and 3. Eliminate "window.onclose" as an event; that's how people do things when you leave the site. Something tells me those patches could become popular. (Actually, the ideal solution, which I don't have time to implement, would be to add another layer of security sandboxing, allowing the user to disable specified parts of ECMA/Javascript and the event model.)

RealNetworks admits to new spyware bug Privacy from Companies7/26/2000; 3:16:56 PM (Actually, the Register is a little mistaken... it's not a "new" spyware bug... see iRights coverage July 17th, 2000.)'A flaw in RealNetworks RealDownload, Netscape/AOL Smart Download, and NetZip Download Demon, discovered by Gibson Research founder Steve Gibson, appears, at least in the case of RealNetworks, to be the result of ignorance rather than nefarious intentions, according to a FAQ hastily issued by the company.'"We weren't even aware [the flaw] was there," RealNetworks spokesman David Brotherton said in an interview with MSNBC. "We were not using it to log users behaviour in any way. The [unique identifier Gibson discovered] served no function we needed, and it has been eliminated."'Apparently, due to confusing information in Microsoft Windows developers' documentation (another shocker), an ID string the company had intended to be random actually identified users, and without RealNetworks knowledge.'I know this sounds like a little bending of the truth... but in Real's defense, it is plausible. To conduct any network transaction, unique identifiers are necessary. That is why your network interface is uniquely identified with a MAC address, built into the hardware at some point. (Even IP addresses are insufficiently unique; somebody else can claim them easily.) Since Microsoft provides a nice library function to generate a "UID", which is a highly random number (designed to be guarenteed unique to within some obscenely low probability of replication), it's natural that Real would use that function rather then write their own random number generator, which are notoriously tricky to actually get right.However, what the programmer may not have realized is that "UID", the word I carefully left undefined in the previous paragraph, stands for "Unique IDentifier", and while it will be random, if called in the same way produces identical numbers. It is plausible that the programmer(s) who made the decision to use that library function was unaware of that propery. I don't know if Real's excuses are true, just that it's plausible

Ways to Defeat the Snooping Provisions in the Regulation of Investigatory Powers Bill Country Watch: Britain7/26/2000; 3:04:41 PM 'The Regulation of Investigatory Powers (RIP) Bill currently going through Parliament will introduce powers to allow a number of UK authorities to intercept Internet communications and to seize encryption keys used for the protection of such traffic and for the protection of stored computer data. Such powers are not limited in their application to those involved in criminal activities and this means that law abiding individuals and businesses may be subject to interception activities as well as demands to hand over their encryption keys. Although abuse of these powers may well be limited, there can be no doubt that this will sometimes occur and this means that honest computer and Internet users will bear increased risks to their privacy, safety and security once this legislation is enacted. 'This paper aims to show that the envisaged powers for interception and for the seizure of encryption keys are technically inept. It also aims to offer honest computer and Internet users advice on the practical steps they can take to maintain their privacy, safety and security in the presence of the oppressive powers introduced by this legislation.'To sum this paper's author's opinions of the new powers being granted to Britain's police in two words, "Why bother?"

DVD Update: EFF Detonates Mind Bomb in Court on Final Day of DVD Trial (July 25, 2000) DVD & DeCSS7/26/2000; 2:05:04 PM

'EFF's DVD defense team rested its case on Tuesday in litigation over the movie studios' attempt to ban DeCSS software that enables people to play DVDs on their computers. David Touretzky, a computer science professor at Carnegie Mellon University testified for the defense explaining the inherently expressive nature of computer code. Touretzky created a ''Gallery of CSS Descramblers'' his university Web site illustrating a multitude of ways that the idea of DeCSS can be expressed using various languages - from plain English to source code to assembly language, etc. He walked the court through a step by step illustration, demonstrating how a series of 1's and 0's taken from one rendition of the code actually communicate a specific idea expressed in the English or C-source code versions of the software.' Lots of meat in this story today. The judge was quite affected by the testimony, apparently, which may bode well in the long-term even if it doesn't change the short-term. David Touretzky also wrote a paper called ''Source vs. Object Code: A False Dichotomy'' Also, see the transcript for the day. (Search for the words "David Touretzky" to jump to his testimony... it's about halfway down.) I strongly recommend reading the transcript and visiting the gallery if you are not an expert in computer science; Prof. Touretzky lays out the case very, very clearly.

House Slows Down Speed Bill Free Speech7/26/2000; 1:57:36 PM 'A House committee voted to delete the most controversial sections of an antidrug bill on Tuesday. 'Gone is the most widely criticized portion, which would have permitted police to conduct secret searches of homes and offices....'Civil libertarians and some conservative groups managed to remove restrictions on publishing or linking to information related to illegal drugs or drug advertising.'Excellent! Now I don't have to go to jail for talking about the laws.

French Court Gives Yahoo More Time Country Watch: France7/25/2000; 8:20:29 AM 'A French court has extended its order against Yahoo (YHOO) to Aug. 11, giving the Santa Clara, Calif.-based company three more weeks to either remove Nazi-related items on its auction site or block the access of French citizens to such items. According to the original order issued by Judge Jean Jacques Gomez on May 22, certain items on Yahoo's U.S. auction site violate a French penal code outlawing the trivialization or denial of the Holocaust.''But Cyril Houri, founder of New York City-based Infosplit, disagrees [with Yahoo's claims of inability to selectively filter French people out based on geography]. Houri says he was contacted by Yahoo's expert witness, Paris-based EdelWeb, to simulate a server system using the company's software and see whether the system could determine the geographic location of visitors to the site. The test project worked, enabling the controlling Web site to block access to certain users. '"If you are in France, you would have seen a site that said, 'Access denied,' " says Houri, who listened to both sides testify before Gomez on Monday. According to Houri, Yahoo's experts did not mention his test trial in court.'As far as I know, these geographical location services work by collecting massive databases of IP addresses (which every computer must have), and recording where those IP addresses are used. For instance, 35.8.x.x - 35.10.x.x would be listed in East Lansing, Michigan, USA, because those are the IP addresses of Michigan State University, recieved from the Merit 35. class A block. (More techical description of IP addressing; just read up to Class D.) There are no other technilogical tricks they can play to find out where you are.These services can be very accurate, because IP addresses must have a certain order corresponding to the real world to them in order to be routed correctly. If someone in France labels their computer as 35.9.24.53 and claims to be a computer from MSU, that's fine, but all the return packets that a server tries to send back to that server from any external network will cross the Atlantic and end up at 35.9.24.53 here on my campus, where they will be either discarded or just plain lost if there's no computer with that IP.However, it's not perfect because you can use a proxy server, which will make all requests look like they are coming from the proxy computer, not the actual requesting computer. Most of the anonymizing services work in this way (including Anonymizer). If you still want to get at the geographically locked data, it can be done, and it's not all that hard, esp. in a 'community' of people that will be passing around instructions on how to do this, even if they don't understand what they're doing.'Plaintiffs are not demanding that Yahoo necessarily alter its content, but rather that it make it impossible for France and its territories (including Corsica, Reunion, Guadeloupe and Tahiti) to access prohibited content. If Houri's claims are true, then Yahoo and other international companies can no longer dodge such situations by saying that the technology does not exist."Of course Yahoo is not willing to block access," says Arie Aboulafia, VP of business development at Infosplit. "Every single country will ask them to start blocking sites."'That would be an impossible burden for any but a huge company with lots of money.

TheStandard.com: Germany Won't Block Access to Foreign Nazi Sites Country Watch: Germany7/25/2000; 7:55:41 AM 'Germany, which has some of the world's toughest laws banning race hate propaganda, has conceded defeat to the cross-border reach of the Internet and given up trying to bar access to foreign-based neo-Nazi sites.'Deputy Interior Minister Brigitte Zypries, the government's Internet security chief, said this week in an interview with Reuters that it was unrealistic to try to shield Germans from foreign Web sites, even though police do aim to stop homegrown Nazi and other offensive material, such as child pornography.'Also some other interesting statements...'Sensitivity about the past also means that Germany has a strong culture of personal privacy and so far the government has shied away from efforts being made in the United States and Britain to monitor certain e-mail for signs of illegal activity.'"Germany, because of its history with state restrictions, is especially careful and we are very sensitive about state intrusions into the private sphere," Zypries told Reuters.'"Anyway, the Americans are not further along in the fight against organized crime even though they have these rights."'An understanding that privacy and complete law enforcement powers may be a contradictions... not bad!'Discussing recent computer virus attacks, Zypries said business must play the lead role in protecting themselves.'"It is business which must develop over the Internet and it is these businesses that must create the security," she said.'"It is the same as a bank here in the city which must make themselves secure against a break in. We don't surround them with police either."'This is an even better policy, as it's easier to protect against a computer attack, in general.