October 2006


On Wednesday at 7P I’m going to be talking to a group of Democrats about the Hepting v. ATT case and warrantless wiretapping. Here’s the 411.

Speaker: AT&T Warrantless Wiretapping Case
When: Wednesday, discount October 18 2006 @ 07:00 PM PDT – 08:00PM
Where:Cubberley Community Center Room A3
4000 Middlefield Road
Palo Alto, CA 94303

Description:
The “Draft Russ Feingold For President” meetup group is hosting Jennifer Granick, Executive Director of CIS at Stanford University. She will be speaking about the AT&T warrentless wiretapping case. She helped with the Amicus Curiae brief for the plantiffs in the case. Everyone is welcome to attend, there is no fee.

My father sent me David Pogue’s column on data privacy the other day. Pogue basically says you have no privacy and noone is interested in you anyway. That’s what I used to believe, oncology but then I learned that they are interested in us. The government is using mass surveillance techniques, shop and companies want to monetize every bit of information about us that they have. Here are my responses to Pogue’s argument. I’ve clipped paragraphs from the full column.

From the Desk of David Pogue: Some Perspective on Privacy
=================================================

In one of my Pogue’s Posts blog entries last week,
http://pogue.blogs.nytimes.com/2006/10/09/09pogues-posts-4/

I wrote about Futurephone, a very cool and very free way
to make international phone calls. Not from your computer–
from your phone.

OK, I’m as interested in privacy as the next person. But if
someone were interested in harvesting phone numbers, why
would he go to the trouble of launching this elaborate phone-
services company? Wouldn’t it be infinitely more efficient
just to pick up a tidy, complete, ready-to-harvest, pre-
compiled list of phone numbers–a little thing called the
*phone book*?

What’s interesting isn’t the numbers, its the circles of connections. Who calls who. Who knows who. Who spends how much time on the phone. Who is a node that gets the most calls. Traffic analysis not pure data collection

And then the bit about listening in to your calls. Well,
sure, I guess Futurephone could theoretically listen in to
your calls. But why stop being neurotic right there? Why not
worry about Skype listening in to your Skype calls? And
Verizon, Cingular, T-Mobile and Sprint? And your long-
distance and home-phone companies? Heck, someone might have
bugged the room you’re in at this very moment!

They are surveilling us right now. ATT (at least) makes copies of all your calls and emails and saves them for the NSA. Other phone companies admittedly provide access when the gov’t says that Al Qaeda is calling.

This all reminds me of a recent e-mail from a reader who
wanted to know if it’s possible to get a cellphone that
encrypts your conversation so nobody can eavesdrop on the
line.

This is why we have digital phones. Analog ones are easily eavesdroppable. Same with cordless. It basically broadcasts. Your neighbor can stand in the yard and intercept your calls.

Dude: if anyone’s going to eavesdrop on your cellphone calls,
it’s not going to be mysterious spies hacking into the
cellular network towers. It’s going to be the person next to
you on the plane, train or sidewalk.

The point is technology allows the eavesdropping without your knowledge.

And then there was the week my own home-office phone number
flashed for a moment on the screen of a cellphone in one of
my weekly nytimes.com videos. I didn’t really care, because
(a) I had to show *someone’s* phone number to illustrate the
feature, and (b) what’s the worst that could happen? Someone
might (gasp) CALL ME?

I guess people don’t hate Pogue as much as they hate some other writers. But some reporters engender disagreement, and those disagreers can get pretty worked up. I like to leave work calls at work.

So what’s my point?

I’m alarmed at our loss of privacy. I wish we had more. I
wish we left fewer tracks.

But please–have some perspective. Before you worry that
Futurephone is collecting phone numbers in Venezuela,
shouldn’t you first cut up your credit cards, get an unlisted
number and pay for your hotel rooms in cash?

Its not a question of locking down all your private information at one time. You make a risk/reward calculation. Its worth it to me to give up my address information for the convenience of credit cards, but perhaps its not worth it for me to give up my communications privacy for free phone calls.

All of the much smaller potential abuses make a whopping
assumption: that somebody actually *cares a whit* about you
and your mundane daily communications. Yes, of course someone
at the phone company could look over your phone records and
figure out whom you call. But who would ever be so bored,
and–forgive me–what could ever be so boring?

Actually, its useful for marketing, and the government is already doing something like this to spot terrorist sympathizers with a “six degrees of separation” kind of tactic.

You’re already in a thousand databases. Your tracks are
everywhere. MasterCard knows where you go and what you buy.
Your grocery store knows what you eat and how often. You gave
up your theoretical online privacy the day you signed up for
an Internet account, let alone this newsletter.

Scott McNealy expressed this years ago when he said we have no privacy, get over it. We don’t want to get over it. We want to put the control back in the hands of the citizen.

My latest column for Wired News is pharm 71928-0.html?tw=wn_index_2″>Politics Get Caught in the Web. In the column, I point to multiple instances of political campaigns’ cybersquatting, errant uploading, haphazard clicking, and site crashing. Then I ask, if these people want to run our government, shouldn’t they be expected to be able to use the internet without getting in trouble first? The answer, sadly, is no. The law is so disconnected from reality, complicated and strange, and campaigns are such aggressive disseminators and collectors of information, that they are bound to make mistakes. Click to read more.

Suicide Bots is a great new blog about robots and the dirty things they do.

Here’s a press release from New College about how Democracy Now!’s Amy Goodman almost got to mention my alma mater on the Colbert Report. Goodman was at New College promoting her new book, dosage Static

Rick Bolanos, read the Democratic candidate for Congress in San Antonio, cheapest Texas, case filed a lawsuit Thursday alleging U.S. Rep. Henry Bonilla’s campaign illegally bought at least a dozen Web sites Bolanos would have used for his campaign’s online site. I’m quoted in the AP story saying: It’s not a crazy case but it’s using this statute in kind of a creative way to reach conduct that, in the context of a campaign, that this statute wasn’t contemplating.

Bruce Schneier’s been following Microsoft’s lawsuit against the anonymous John Does responsible for the FairUse4WM software. I decided to take a look at the complaint and see what, weight loss exactly, find Microsoft says is illegal about FairUse4WM.

The complaint is pretty sparse. It has just five paragraphs of factual allegations, only one of which explains what FairUse4WM does (strips DRM), and only one that explains what the Does allegedly did wrong:

Upon information and belief, Defendants’ FairUse4WM software program: (i) contains proprietary computer code from Microsoft’s Windows Media Format SDK v. 9.5 (ii) is a derivative work of Microsoft’s Windows Media Format SDK v. 9.5, and (iii) is a derivative work of Microsoft’s DRM technologies.

Let’s dissect that. “Upon information and belief” is a phrase lawyers use in complaints when they have a good faith belief that something is true, but they don’t have any personal knowledge that it is true. This is a pretty weak way to allege the fundamental charge in the lawsuit, which is that FairUse4WM is copyright infringing (as opposed to aids others in infringement).

Why doesn’t Microsoft know whether or not FU4WM contains proprietary code? I need some tech help here. Is it possible to download FU4WM, look at the code and see whether it contains MS code? Even the claim that FU4WM is a derivate work of WMF SDK. This again would require the program code to use some protected expressive aspect of the code from WMF SDK.

Finally, the allegation that FU4WM is a derivative of Microsoft’s “DRM technologies” is just vague to the extreme. Which technologies? What part is derivative? This is almost like an afterthought because someone thought it was better to list three things than two.

If the allegations are so sparse, what is this case about? It looks to me like the case is really about finding out who the John Does are. Microsoft filed a motion for third party discovery and a declaration asking for permission to serve subpoenas for their identifying information.

Why would Microsoft want to know who the Does are? I suppose even with a case this weak, they may believe they can obtain a settlement that would stop the Does from doing what they are doing. That’s going to be difficult if the creators are overseas or able to fight back. But stopping these Does isn’t going to stop another set of coders from distributing a different tool, or a new tool that breaks the next iteration of their DRM, particularly if those tools are completely free of proprietary code.

I think Microsoft might believe that the people behind FairUse4WM are insiders, because of the speed with which the tool was released following the latest DRM updates. I think they want to know if there’s a fox in the henhouse. That’s the only way I can see this lawsuit making any kind of financial sense for the company. Then again, it doesn’t look like the lawyers have put a lot of time into this case so far.

My esteemed colleague Bob Weisberg and I disagree on the strength of the criminal charges against former HP Director Patricia Dunn. Dunn, meningitis Four Others Charged in Hewlett Surveillance Case – washingtonpost.com. I’m not sure he and I are exactly commenting on the same thing. He’s talking about the applicability of the substance of the charges to pretexting generally, recipe and I’m talking about whether the evidence of Dunn’s involvement is strong enough to hold her directly or vicariously liable. Still, I think that if the prosecution can prove Dunn knew her investigators were lying to get journalists’ phone records, a jury will find her guilty.

Brad dissects the Best Show on TV.

In this story from New Zealand courts, decease an “ethical hacker” with multiple prior fraud convictions escapes punishment after an unauthorized audit of a bank’s computer system. The judge was influenced by the fact that the information was important to preserve customer privacy and security, that the defendant hadn’t been convicted of anything in quite a while, and that he only distributed the audit information to the bank and not to outsiders, though he did ask for money in return for his services.


Pointing at Me

Originally uploaded by Terry Stedman.

I love this picture. Its a typical party at my alma mater, this
New College in Sarasota, Florida.

Cory posted this news from Toorcon: Boing Boing: Speech given by censored Apple WiFi hacker at ToorCon. A lot of people have asked me whether Apple has any legal right to control the release of information about security flaws in its products. For more information about the law of vulnerability disclosure, no rx
you can check out my 2004 speech at Black Hat USA.

« Previous Page